Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extend replaceVariables functionality to work with objects in claims #674

Open
wallacekelly-da opened this issue Apr 29, 2024 · 3 comments
Open

Extend replaceVariables functionality to work with objects in claims #674

wallacekelly-da opened this issue Apr 29, 2024 · 3 comments

Comments

@wallacekelly-da
Copy link

Repro steps

Motivated by this, define a request mapping in the JSON config file:

{
  "tokenCallbacks": [
    {
      "issuerId": "mockauth",
      "tokenExpiry": 120,
      "requestMappings": [
        {
          "requestParam": "mock_token_type",
          "match": "custom",
          "claims": {
            "https://daml.com/ledger-api": {
              "participantId": "${participantId}",
              "actAs": [ "${actAs}" ],
              "readAs": [ "${readAs}" ]
            }
          }
        }
      ]
    }
  ]
}

Desired Behavior

The mock-oauth2-server responds to token requests with a signed token with ${participantId}, ${actAs}, and ${readAs} replaced with values from the token request. Here is a sample of what I'm looking for:

{
  "https://daml.com/ledger-api": {
    "participantId": "participant1::1220f7994746f8f05198bbaf817714503d54fa17f4b23f17fafae8387f86bf5eaead",
    "actAs": [ "admin::1220f7994746f8f05198bbaf817714503d54fa17f4b23f17fafae8387f86bf5eaead" ],
    "readAs": [ "admin::1220f7994746f8f05198bbaf817714503d54fa17f4b23f17fafae8387f86bf5eaead" ]
  },
  "nbf": 1714423520,
  "iss": "http://localhost:8080/mockauth",
  "exp": 1714423640,
  "iat": 1714423520,
  "jti": "3693514f-0f72-4db2-8584-ebab4d5924c7"
}

Current Behavior

The fields ${participantId}, ${actAs}, and ${readAs} are not replaced. Here is an example of what is returned:

{
  "https://daml.com/ledger-api": {
    "participantId": "${participantId}",
    "actAs": [ "${actAs}" ],
    "readAs": [ "${readAs}" ]
  },
  "nbf": 1714423520,
  "iss": "http://localhost:8080/mockauth",
  "exp": 1714423640,
  "iat": 1714423520,
  "jti": "3693514f-0f72-4db2-8584-ebab4d5924c7"
}

Related code

It looks like the replaceVariables function is only being applied to the first-level strings and lists of strings.

From OAuth2TokenCallback.kt:

when (value) {
    is String -> replaceVariables(value, variables)
    is List<*> ->
        value.map { v ->
            if (v is String) {
                replaceVariables(v, variables)
            } else {
                v
            }
        }
    else -> value
}

This code would need to be updated to recurse the fields of child objects. Or, perhaps more simply, perform the substitution on the full claims JSON string, instead of the individual claims.
@tommytroen
Copy link
Collaborator

@wallacekelly-da are the parameters participantId, actAs, readAs part of the token request? The only way we can use dynamic values in the returned token for a specific request mapping is if we receive them as a part of the token request. Can you provide a sample of the token request?

@wallacekelly-da
Copy link
Author

Hi, @tommytroen! Thanks for asking:

 curl http://localhost:8080/mockauth/token \
  -d grant_type=client_credentials \
  -d client_id="ignored" \
  -d client_secret="ignored" \
  -d mock_token_type="custom" \
  -d participantId="participant1::1220f7994746f8f05198bbaf817714503d54fa17f4b23f17fafae8387f86bf5eaead" \
  -d actAs="admin::1220f7994746f8f05198bbaf817714503d54fa17f4b23f17fafae8387f86bf5eaead" \
  -d readAs="admin::1220f7994746f8f05198bbaf817714503d54fa17f4b23f17fafae8387f86bf5eaead"

@tommytroen
Copy link
Collaborator

@wallacekelly-da: Great thanks, this looks feasible. Will have a look soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tommytroen @wallacekelly-da