Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing roles and group claims mapping in introspection #5938

Open
cagriuzel opened this issue Sep 13, 2024 · 0 comments
Open

Missing roles and group claims mapping in introspection #5938

cagriuzel opened this issue Sep 13, 2024 · 0 comments
Milestone
3.0.x

Comments

@cagriuzel
Copy link

Description:
We are getting HTTP 403 error when I send a request with opaque token. It is a problem when I set spring.cloud.dataflow.task.useuseraccesstoken=true, CTR task use user token and send about request to dataflow server.

DataFlowTemplate.java - line 170

this.aboutOperations = new AboutTemplate(restTemplate, resourceSupport.getLink(AboutTemplate.ABOUT_REL).get());

Release versions:
2.11.4

Steps to reproduce:

  1. Configure provider-role-mappings as follows 
    provider-role-mappings:
  internal-auth:
    map-oauth-scopes: false
    map-group-claims: true
    group-mappings:
      ROLE_CREATE: CREATE
      ROLE_DEPLOY: DEPLOY
      ROLE_DESTROY: DESTROY
      ROLE_MANAGE: MANAGE
      ROLE_MODIFY: MODIFY
      ROLE_SCHEDULE: SCHEDULE
      ROLE_VIEW: VIEW
  2. Login with oidc provider using openid scope. id_token that is in token response, contains following roles
{
    "sub": "MEHMETCAN",
    "roles": [
        "CREATE",
        "VIEW"
    ],
  1. Send about request to dataflow using opaque token that obtained in step 2
curl --location --request GET 'http://localhost:8080/about' \
--header 'Authorization: Bearer opaque_token'
  1. Got HTTP 403 error response because dataflow doesn't map groups and roles attributes in CustomAuthoritiesOpaqueTokenIntrospector.
Bearer error="insufficient_scope", error_description="The request requires higher privileges than provided by the access token.", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"

Screenshots:
Where applicable, add screenshots to help explain your problem.

Additional context:
Add any other context about the problem here.
@github-actions github-actions bot added the status/need-triage Team needs to triage and take a first look label Sep 13, 2024
@cagriuzel cagriuzel mentioned this issue Sep 13, 2024
Open
@cppwfs cppwfs added this to the 3.0.x milestone Sep 16, 2024
@cppwfs cppwfs removed the status/need-triage Team needs to triage and take a first look label Sep 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
3.0.x
Development

No branches or pull requests
2 participants
@cppwfs @cagriuzel