support mapping JWT claims (close #3485) #3575
Conversation
|
Deploy preview for hasura-docs ready! Built with commit 37c841d |
|
Review app for commit 2ddbdb8 deployed to Heroku: https://hge-ci-pull-3575.herokuapp.com |
33ac1e0 to
c371218
Compare
|
Review app for commit c371218 deployed to Heroku: https://hge-ci-pull-3575.herokuapp.com |
|
Review app for commit fd94924 deployed to Heroku: https://hge-ci-pull-3575.herokuapp.com |
|
Review app for commit bb4fe73 deployed to Heroku: https://hge-ci-pull-3575.herokuapp.com |
|
Review app for commit 36a3373 deployed to Heroku: https://hge-ci-pull-3575.herokuapp.com |
Resolve Conflicts: server/graphql-engine.cabal
|
Review app for commit 37c841d deployed to Heroku: https://hge-ci-pull-3575.herokuapp.com |
|
@Oxymoron290 Could you please help us validate this? The docker image to be used for testing this is |
|
@dsandip Can we help in any way to validate this? As we also very much would like this functionality. |
|
@pheonixtechnical Sorry about the late response. Yes, of course, we could use your help. You can use the docker image from #3575 (comment) and test it with your Azure AD account. Please confirm that you are able to get the Hasura ACL rules to work off of your JWT claims by posting a comment here? Thank you! |
|
Hello, |
Resolve Conflicts: docs/graphql/manual/auth/authentication/jwt.rst server/graphql-engine.cabal server/src-lib/Hasura/Server/Auth.hs server/src-lib/Hasura/Server/Auth/JWT.hs server/src-test/Main.hs
|
Deploy preview for hasura-docs ready! Built with commit b2eb72e |
|
@rakeshkky Updated spec: #3485 (comment) |
Resolve Conflicts: .circleci/test-server.sh server/graphql-engine.cabal server/src-lib/Data/Parser/JSONPath.hs server/src-lib/Hasura/RQL/Types/Error.hs server/src-lib/Hasura/Server/Auth/JWT.hs server/src-lib/Hasura/Server/Config.hs server/src-lib/Hasura/Server/Utils.hs server/src-test/Main.hs server/tests-py/queries/v1/select/boolexp/postgis/query_illegal_cast_is_not_allowed.yaml server/tests-py/queries/v1/update/permissions/user_cannot_update_id_col_article.yaml
|
Review app for commit 94282ed deployed to Heroku: https://hge-ci-pull-3575.herokuapp.com |
|
Review app for commit 703e2b9 deployed to Heroku: https://hge-ci-pull-3575.herokuapp.com |
CHANGELOG.md
Outdated
| - server: treat the absence of `backend_only` configuration and `backend_only: false` equally (closing #5059) (#4111) | ||
| - server: support customizing JWT claims (close #3485) | ||
|
|
||
| Some providers don't let users add custom JWT claims. In such a case, the server will provide a JWT configuration option to specify a mapping of hasura session variables to values in existing claims via JSONPath/literal values. The JWT config now supports an extra optional field `claims_map` which is an JSON object which maps from session variables to JSON paths. |
There was a problem hiding this comment.
| Some providers don't let users add custom JWT claims. In such a case, the server will provide a JWT configuration option to specify a mapping of hasura session variables to values in existing claims via JSONPath/literal values. The JWT config now supports an extra optional field `claims_map` which is an JSON object which maps from session variables to JSON paths. | |
| Some auth providers do not let users add custom claims in JWT. In such cases, the server can take a JWT configuration option called `claims_map` to specify a mapping of Hasura session variables to values in existing claims via JSONPath or literal values. |
CHANGELOG.md
Outdated
| } | ||
| ``` | ||
|
|
||
| The corresponding JWT config should be: |
There was a problem hiding this comment.
| The corresponding JWT config should be: | |
| The corresponding JWT config can be: |
|
Review app for commit 3e987ec deployed to Heroku: https://hge-ci-pull-3575.herokuapp.com |
CHANGELOG.md
Outdated
|
|
||
| ## Next release | ||
|
|
||
| ### Server - Support for custom JWT Claims |
There was a problem hiding this comment.
Support for mapping session variables to default JWT claims
|
Review app for commit 973750f deployed to Heroku: https://hge-ci-pull-3575.herokuapp.com |
tirumaraiselvan
left a comment
There was a problem hiding this comment.
approving changelog (barring small comment) and docs content (needs approval from @marionschleifer )
|
Review app for commit baac239 deployed to Heroku: https://hge-ci-pull-3575.herokuapp.com |
|
Review app for commit b2eb72e deployed to Heroku: https://hge-ci-pull-3575.herokuapp.com |
jberryman
left a comment
There was a problem hiding this comment.
Thanks for addressing the comments!
* improve jsonpath parser to accept special characters and property tests for the same * make the JWTClaimsMapValueG parametrizable * add documentation in the JWT file * modify processAuthZHeader Co-authored-by: Karthikeyan Chinnakonda <karthikeyan@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io>
* improve jsonpath parser to accept special characters and property tests for the same * make the JWTClaimsMapValueG parametrizable * add documentation in the JWT file * modify processAuthZHeader Co-authored-by: Karthikeyan Chinnakonda <karthikeyan@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io>
* improve jsonpath parser to accept special characters and property tests for the same * make the JWTClaimsMapValueG parametrizable * add documentation in the JWT file * modify processAuthZHeader Co-authored-by: Karthikeyan Chinnakonda <karthikeyan@hasura.io> Co-authored-by: Marion Schleifer <marion@hasura.io>
fixes #6449 A while back we added [support for customizing JWT claims](#3575) and this enabled to map a session variable to any value within the unregistered claims, but as reported in #6449 , users aren't able to map the `x-hasura-user-id` session variable to the `sub` standard JWT claim. This PR fixes the above issue by allowing mapping session variables to standard JWT claims as well. GitOrigin-RevId: d3e63d7
improve json path parser to accept keys in bracket notation with single quotes (Eg:-Being done via allow special characters in json path's property name (close #3890) #3892$.['random.com'].user)Description
Some providers don't let users add custom JWT claims. In such a case, the server will provide a JWT configuration option to specify a mapping of hasura session variables to values in existing claims via JSONPaths. Now JWT config supports an extra optional field
claims_mapwhich is a JSON object which maps from session variables to jsonpaths.Example:-
Consider the following JWT claim:
{ "sub": "1234567890", "name": "John Doe", "admin": true, "iat": 1516239022, "user": { "id": "ujdh739kd", "appRoles": ["user", "editor"] } }The mapping for
x-hasura-allowed-roles,x-hasura-default-roleandx-hasura-user-idsession variables can be specified inclaims_mapconfiguration as follows.--jwt-secret or HASURA_GRAPHQL_JWT_SECRET{ "type":"RS512", "key": "<The public Key>", "claims_map": { "x-hasura-allowed-roles": {"path":"$.user.appRoles"}, "x-hasura-default-role": {"path":"$.user.appRoles[0]","default":"user"}, "x-hasura-user-id": {"path":"$.user.id"} } }The syntax to provide literal values in the JWT
claims_map:{ "type":"RS512", "key": "<The public Key>", "claims_map": { "x-hasura-allowed-roles": ["user","editor"], "x-hasura-default-role": "user", "x-hasura-user-id": "1" } }Affected components
Related Issues
closes #3485
Solution and Design
claims_mapaccepts JSON paths, the parser inData.JSONPath.Parsermodule is improved to accept keys having special characters.JWTConfigdata type is improved to remove fewMaybefields.Hasura.Server.Auth.JWTmodule, where resolving the hasura claims considers theclaims_mapconfiguration.Server checklist
Catalog upgrade
Does this PR change Hasura Catalog version?
Metadata
Does this PR add a new Metadata feature?
GraphQL
Breaking changes
Steps to test and verify
Limitations, known bugs & workarounds