Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Unable to use hyphen in JSON path for oidc-groups-claim option #2618

Open
rd-danny-fleer opened this issue Apr 26, 2024 · 0 comments · May be fixed by #2619
Open

[Bug]: Unable to use hyphen in JSON path for oidc-groups-claim option #2618

rd-danny-fleer opened this issue Apr 26, 2024 · 0 comments · May be fixed by #2619
Labels
bug help wanted

Comments

@rd-danny-fleer
Copy link

rd-danny-fleer commented Apr 26, 2024
edited

OAuth2-Proxy Version

7.6.0

Provider

oidc

Expected Behaviour

Assume that the following ID token is received by oauth2-proxy:

{
	"resource_access": {
		"my-oidc-client": {
			"roles": [
				"admins"
			]
		}
	}
}

When the oidc-groups-claim option is set to the value resource_access.my-oidc-client.roles and allowed-groups is set to admins, authentication should be successful.

Current Behaviour

With the setup described in expected behaviour, oauth2-proxy always redirects to 403 Forbidden.

Steps To Reproduce

  1. Set oidc-groups-claim to a value that (a) contains at least one period and (b) at least one hyphen, for example resource_access.my-oidc-client.roles
  2. Make sure allowed-groups is set to a value that is contained in the claim you defined in step (1)
  3. Open an URL that is configured to use oauth2-proxy for authentication.
  4. After the identity provider redirects you back to oauth-proxy2, you will see the 403 Forbidden page.

Possible Solutions

I assume that this bug was introduced as part of #1921.
The value of oidc-groups-claim must meet at least these conditions to fail authentication:
(a) It must be a JSON path with more than one level (i.e. it must contain a period)
(b) It must contain a hyphen (There might be more characters I am not aware of)

If the mentioned conditions are met, the call to jp.ParseString in

oauth2-proxy/pkg/providers/util/claim_extractor.go

Line 146 in fc701bf

_, err := jp.ParseString(claim)
returns an error. As a result the claims string is interpreted as a literal string and not as JSON path anymore.
Currently, the workaround is not to use hyphens when you have a JSON path with more than one level.

I will try to implement a fix and submit a PR.

Configuration details or additional information

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug help wanted
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Unable to use hyphen in JSON path for oidc-groups-claim option rd-danny-fleer/oauth2-proxy
1 participant
@rd-danny-fleer