From f89c200ce900611ecace8be3b0885a623b8e1ca6 Mon Sep 17 00:00:00 2001 From: pascal-fischer <32096965+pascal-fischer@users.noreply.github.com> Date: Fri, 1 Sep 2023 18:09:59 +0200 Subject: [PATCH] Fix api Auth with PAT when a custom UserIDClaim is configured in management.json (#1120) The API authentication with PATs was not considering different userIDClaim that some of the IdPs are using. In this PR we read the userIDClaim from the config file instead of using the fixed default and only keep it as a fallback if none in defined. --- management/server/http/handler.go | 3 ++- .../server/http/middleware/auth_middleware.go | 9 +++++++-- .../http/middleware/auth_middleware_test.go | 19 ++++++++++--------- 3 files changed, 19 insertions(+), 12 deletions(-) diff --git a/management/server/http/handler.go b/management/server/http/handler.go index c99b9b51f..6e9b029c7 100644 --- a/management/server/http/handler.go +++ b/management/server/http/handler.go @@ -36,7 +36,8 @@ func APIHandler(accountManager s.AccountManager, jwtValidator jwtclaims.JWTValid accountManager.GetAccountFromPAT, jwtValidator.ValidateAndParse, accountManager.MarkPATUsed, - authCfg.Audience) + authCfg.Audience, + authCfg.UserIDClaim) corsMiddleware := cors.AllowAll() diff --git a/management/server/http/middleware/auth_middleware.go b/management/server/http/middleware/auth_middleware.go index 898ad0875..710723124 100644 --- a/management/server/http/middleware/auth_middleware.go +++ b/management/server/http/middleware/auth_middleware.go @@ -32,6 +32,7 @@ type AuthMiddleware struct { validateAndParseToken ValidateAndParseTokenFunc markPATUsed MarkPATUsedFunc audience string + userIDClaim string } const ( @@ -39,12 +40,16 @@ const ( ) // NewAuthMiddleware instance constructor -func NewAuthMiddleware(getAccountFromPAT GetAccountFromPATFunc, validateAndParseToken ValidateAndParseTokenFunc, markPATUsed MarkPATUsedFunc, audience string) *AuthMiddleware { +func NewAuthMiddleware(getAccountFromPAT GetAccountFromPATFunc, validateAndParseToken ValidateAndParseTokenFunc, markPATUsed MarkPATUsedFunc, audience string, userIdClaim string) *AuthMiddleware { + if userIdClaim == "" { + userIdClaim = jwtclaims.UserIDClaim + } return &AuthMiddleware{ getAccountFromPAT: getAccountFromPAT, validateAndParseToken: validateAndParseToken, markPATUsed: markPATUsed, audience: audience, + userIDClaim: userIdClaim, } } @@ -127,7 +132,7 @@ func (m *AuthMiddleware) CheckPATFromRequest(w http.ResponseWriter, r *http.Requ } claimMaps := jwt.MapClaims{} - claimMaps[jwtclaims.UserIDClaim] = user.Id + claimMaps[m.userIDClaim] = user.Id claimMaps[m.audience+jwtclaims.AccountIDSuffix] = account.Id claimMaps[m.audience+jwtclaims.DomainIDSuffix] = account.Domain claimMaps[m.audience+jwtclaims.DomainCategorySuffix] = account.DomainCategory diff --git a/management/server/http/middleware/auth_middleware_test.go b/management/server/http/middleware/auth_middleware_test.go index b041b12d5..8c8c941b0 100644 --- a/management/server/http/middleware/auth_middleware_test.go +++ b/management/server/http/middleware/auth_middleware_test.go @@ -13,14 +13,15 @@ import ( ) const ( - audience = "audience" - accountID = "accountID" - domain = "domain" - userID = "userID" - tokenID = "tokenID" - PAT = "PAT" - JWT = "JWT" - wrongToken = "wrongToken" + audience = "audience" + userIDClaim = "userIDClaim" + accountID = "accountID" + domain = "domain" + userID = "userID" + tokenID = "tokenID" + PAT = "PAT" + JWT = "JWT" + wrongToken = "wrongToken" ) var testAccount = &server.Account{ @@ -102,7 +103,7 @@ func TestAuthMiddleware_Handler(t *testing.T) { // do nothing }) - authMiddleware := NewAuthMiddleware(mockGetAccountFromPAT, mockValidateAndParseToken, mockMarkPATUsed, audience) + authMiddleware := NewAuthMiddleware(mockGetAccountFromPAT, mockValidateAndParseToken, mockMarkPATUsed, audience, userIDClaim) handlerToTest := authMiddleware.Handler(nextHandler)