Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added check to handle token parsing with claims without "sub". #3287

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Added check to handle token parsing with claims without "sub". #3287

wants to merge 2 commits into from
+32 −10

Conversation

wassafshahzad
Copy link

Description

In the oidc_introspection.py func (filter *oidcIntrospectionFilter) Request(ctx filters.FilterContext) function get value form the Claim map using sub key and then casts the value into a string, but this would panic if no sub key is present. I added a check to ensure we only cast values if sub key is present.

Linked Issue

closes #3216

Approach to solution

As describe in the following comment, I dug a bit deeper and found 2 suitable values to use if subject is not present in token. One is the Subject value in tokenContainer struct or UserInfo Struct. I decided to go with the tokenContainer struct. If this is not correct please do guide me if UserInfo Struct would be better.

@wassafshahzad wassafshahzad force-pushed the fix/claim-parsing-oidc-introspection branch from 03721d1 to c7467c4 Compare October 26, 2024 11:58
@MustafaSaber MustafaSaber added the bugfix Bug fixes and patches label Oct 28, 2024
@szuecs
Copy link
Member

szuecs commented Oct 29, 2024

Can you please add a test case?
Thanks 🙏🏽

@wassafshahzad
Copy link
Author

wassafshahzad commented Nov 3, 2024
edited
Loading

Can you please add a test case? Thanks 🙏🏽

Could you give me some pointers, I have been looking into multiple filter tests and oidc_intorspection_tests but cant wrap my head around on how to test it.

@MustafaSaber
Copy link
Member

hi @wassafshahzad, thanks for your contribution! You can check

skipper/filters/auth/oidc_test.go

Line 224 in 8e6c365

claims := jwt.MapClaims{

&

skipper/filters/auth/oidc_introspection_test.go

Line 295 in 8e6c365

oidcServer := createOIDCServer(proxy.URL+"/redirect", validClient, "mysec", jwt.MapClaims{"groups": []string{"CD-Administrators", "Purchasing-Department", "AppX-Test-Users", "white space"}})

This server creates the token with those claims, I would try to find a way to override those claims and create another testcase where I create the server with the override and this case we expect the fail before the fix and succeed after.

The test case should fail or succeed after triggering

skipper/filters/auth/oidc_introspection_test.go

Line 355 in 8e6c365

resp, err := client.Do(req)

@wassafshahzad
Copy link
Author

hi @wassafshahzad, thanks for your contribution! You can check

skipper/filters/auth/oidc_test.go

Line 224 in 8e6c365

claims := jwt.MapClaims{

&

skipper/filters/auth/oidc_introspection_test.go

Line 295 in 8e6c365

oidcServer := createOIDCServer(proxy.URL+"/redirect", validClient, "mysec", jwt.MapClaims{"groups": []string{"CD-Administrators", "Purchasing-Department", "AppX-Test-Users", "white space"}})

This server creates the token with those claims, I would try to find a way to override those claims and create another testcase where I create the server with the override and this case we expect the fail before the fix and succeed after.

The test case should fail or succeed after triggering

skipper/filters/auth/oidc_introspection_test.go

Line 355 in 8e6c365

resp, err := client.Do(req)

Thank you and on it

@wassafshahzad
Added check to ensure 'sub' is present in claim before parsing and us…
628aae3 
…e token subjact if sub is not present in claims

Signed-off-by: wassafshahzad <wassafshahzad@gmail.com>
@wassafshahzad
Fixes issue with sub in token claims
3cfb9fa 
Signed-off-by: wassafshahzad <wassafshahzad@gmail.com>
@wassafshahzad wassafshahzad force-pushed the fix/claim-parsing-oidc-introspection branch from 2f71fb9 to 3cfb9fa Compare November 18, 2024 02:10
@wassafshahzad
Copy link
Author

@MustafaSaber Sorry for the delay, I had a bit of a tough time resolving this issue. I tried using token.Subject and token.UserInfo.Subject in case sub was missing but this would still cause authentication issues. I still need help to identify the right key as I am not as familiar with the repo yet.

However I stumbled on to this piece of code from the jwt_validation file and decided to use it since we already have it for validation and thought consistency would be the right way to go.

@MustafaSaber
Copy link
Member

Thanks for the update! We will review when we have time, we can't merge in the next couple of days also.

@wassafshahzad
Copy link
Author

Thanks for the update! We will review when we have time, we can't merge in the next couple of days also.

No issue, Can I pick another issue ?

@MustafaSaber
Copy link
Member

ofc feel free to pick one of the issues 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wassafshahzad wassafshahzad

Labels
bugfix Bug fixes and patches do-not-merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

oidcclaimquery: better error handling for casting
3 participants
@wassafshahzad @szuecs @MustafaSaber