User scopes do not get propagated to the returned JWT provided by EG

[XVincentX]

The scopes assigned to an user credential (basic-auth, for example) do not get propagated back to the issued JWT for the user.

Somehow related to #608

[cesarsosa]

Hey Vincent, do you have an estimate of when this going to be resolved?

[XVincentX]

We'll try to work on it during our next sprint — although unfortunately I had to abandon the current for personal problems. This might require some time to get it done though.

In case it's really a killer feature — we have paid support that would definitely prioritize this.

[XVincentX]

Needs #758

[naprime]

I assigned scope to JWT credential but EG did NOT check it (alway skip scope check)

========In gateway.config ========
apiEndpoints:

ip:
host: '*'
paths: ['/ip']
scopes: ['admin2']

...

ip:
apiEndpoints:
- ip

policies:
  - jwt:
    - action:
        checkCredentialExistence: false
        secretOrPublicKey: ${JWT_SECRET_KEY:-'whatTheFotFat'}

  - proxy:
    - action:
        serviceEndpoint: httpbin 
        changeOrigin: true

======== Credential info ========
{
"isActive": true,
"createdAt": "Sat Aug 18 2018 03:13:23 GMT+0000 (Coordinated Universal Time)",
"updatedAt": "Sat Aug 18 2018 08:46:18 GMT+0000 (Coordinated Universal Time)",
"keyId": "3kdu0OxwvtPv6CsUDO3L6b",
"keySecret": "41teE9Wu2LuQDoQ6qVbpdO",
"scopes": [
"admin"
],
"consumerId": "eec49fb4-8535-4733-912c-77fcaf22c949",
"type": "jwt",
"id": "3kdu0OxwvtPv6CsUDO3L6b"
}

========scope from apiEndpoint is deference to scope assigned to user but still success ========

$ curl -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIza2R1ME94d3Z0UHY2Q3NVRE8zTDZiIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.rrF6QdaC10ya98ppwuykbO5xxyLbVcznvi2en8-STwM" http://172.17.0.1:30001/ip
{
"origin": "113.186.178.99"
}

[naprime]

I fixed by add jwtScopes policy

[nirradi]

I'm looking for a place to comment on this for a while, I hope this is relevant:

The sub claim inside the jwt returned from an auth server should be the unique user id of the authenticated user.

From what I saw, eg is returning a hardcoded sub for all requests.

was this intended?

[XVincentX]

@nirradi I need you to elaborate a little bit more. Can you make an example?

[nirradi]

I wanted to create a jwt token as a response to. cliean credential grant request. I saw this part of the docs https://www.express-gateway.io/docs/configuration/system.config.yml/accessTokens/ and like I expected it didnt return an opaque token anymore, instead it returned a properly signed jwt but the sub was exactly what i had written in system.config.yaml If I understand correctly, the idea is to return a non opaque token that has information about the user like sub:clientId, and not a hard coded value from the config what am I missing? Thanks.

…

On Thu, Oct 25, 2018, 18:21 Vincenzo Chianese ***@***.***> wrote: @nirradi <https://github.com/nirradi> I need you to elaborate a little bit more. Can you make an example? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#740 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AdtdKNvRikTa3TO9YtlgnLU3sdSCLzsWks5uodb9gaJpZM4UQTmL> .

[tabishz]

I fixed by add jwtScopes policy

could you share a bit more on how to install the jwtScopes plugin and enable it.

[Cinzya]

Any information when / if this is going to be fixed? Is this repo still being worked on? @XVincentX