Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-6410

JWT Claim Check Policy does not work with APIaaP Backend

XMLWordPrintable

    • False
    • False
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • No
    • +
    • Undefined

      The JWT Claim Check Policy check does not work when an API backend is connected to the Product using a path other than the default path ("/") for e.g. "/test". In this case, a routing policy is automatically generated and attached to the policy chain before APIcast . If the API backend is

      • accessed using a mapping rule GET "/test/"
      • A JWT claim check policy is used to protect the resource path "/test"

      The resulting policy chain would be as follows.

          "policy_chain": [
      {
        "name": "routing",
        "version": "builtin",
        "enabled": true,
        "configuration": {
          "rules": [
            {
              "url": "https://echo-api.3scale.net:443",
              "owner_id": 3,
              "owner_type": "BackendApi",
              "condition": {
                "operations": [
                  {
                    "match": "path",
                    "op": "matches",
                    "value": "^(/test/.*|/test/?)"
                  }
                ]
              },
              "replace_path": "{{uri | remove_first: '/test'}}"
            }
          ]
        }
      },
      {
        "name": "apicast",
        "version": "builtin",
        "configuration": {}
      },
      {
        "name": "jwt_claim_check",
        "version": "builtin",
        "configuration": {
          "rules": [
              ....
              "resource": "/test"
            }
          ],
          "error_message": "Access to resource blocked"
        }
      },
    ]

      Issue

      For an incoming request uri such as "/test/foo/bar", the resource path "/test" does not match. Hence the JWT claim check policy is not enforced for this resource.

      Update:
      The JWT claim check policy, is not working to block a certain resource when APIaaP is enabled (when a routing policy is placed before the claim-check in the policy chain).

      Our problem is that, with a routing policy on top of the chain, we are setting the uri to `/` here: https://github.com/3scale/APIcast/blob/3eac1272b66817dfcf2d7cfdc8ed779cf934caeb/gateway/src/apicast/policy/routing/upstream_selector.lua#L43

      With that variable set to "/", the resource will never match (this https://github.com/3scale/APIcast/blob/3eac1272b66817dfcf2d7cfdc8ed779cf934caeb/gateway/src/apicast/policy/jwt_claim_check/jwt_claim_check.lua#L74 will always return false), unless, in fact, we use exactly `/` as a resource.

        1. apicast-config-svc-drajnoha-jwt-jdt-sandbox-3.json
          4 kB

              Unassigned Unassigned
              rhn-support-cvajjhal Chandrasekhar Vajjhala (Inactive)
              Eloy Coto Eloy Coto
              David Rajnoha David Rajnoha (Inactive)
              Eloy Coto Eloy Coto
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: