Seems that most of the user specific claims were removed from the jwt token in commit 10019633bea1e5635e14c75b06e09c1d54bf4507
Are any of these going to be re-added at any point? Unless there's another way that I've missed, it seems like the only way to successfully authenticate with Organizr using Caddy 2 is using the caddy-auth-jwt plugin for Caddy V2, which doesn't allow you to specify unique claims.
I've been able to get logged in / vs. not logged in authentication working in Caddy 2, but cannot limit hosts based on user group due to "group" being removed from the organizr token. Would be awesome if at least "group" could be re-added to the token at some point to enable jwt token at some point so Organizr auth can be fully functional with Caddy 2.
_(I've documented my exhaustive journey getting Caddy 2 working with Organizr JWT and am writing up a blog post on it as soon as I have it working with group specification, I'll share the link once it's done)_
examine the organizr_token
Only iss, aud, jti, iat, exp, & userID are passed - username, group, groupID, email, & image are missing. Need at least group for caddy 2 jwt auth to work properly.
Thanks for posting this, I thought I was going crazy. I updated Organizr and I also noticed the JWT claims had disappeared. I'm also using caddy-auth-jwt.
I was debating rolling back the Organizr version or perhaps using the UserId fields in the meantime (less than ideal).
I can add back in the GroupID
Hmm, actually I believe we need one of the following fields in the JWT:
https://github.com/greenpau/caddy-auth-jwt#sources-of-role-information
I didn't see a way to use a custom roles field. It looks like it is a future feature. If possible, it would be great to add back the group field.
i can have group return the group id. would that work?
api/classes/organizr.class.php:
->withClaim('group', strval($result['group_id']))// Configures a new claim, called "groupID"
The Caddy middleware expects the claim to be a string, otherwise it throws an error about the claim being a float. If I convert the field to a string, everything works fine. I'm not a PHP dev so that string conversion was from a Google search :-P.
The Caddyfile changes look like this:
jwt {
allow roles Admin Co-Admin
}
to
jwt {
allow roles 0 1
}
jwt:
{
"iss": "Organizr",
"aud": "Organizr",
// ...
"group": "0",
"userID": 1
}
Does this sound reasonable to you @Maxtoid @causefx ?
Yeah I think either having group return group ID, or honestly just even putting group back in and returning the name of the group would work; the way the JWT plugin processes the strings, it would be easier to just allow roles admin, co-admin, or superuser. But if the size of the token is the concern we should be able to get the JWT token to work with the group ID as the group claim too.
Yeah, I was trying to cut down on the length of the token to limit the cookie sizes... I will play with it and release it tomorrow.
Most helpful comment
Yeah, I was trying to cut down on the length of the token to limit the cookie sizes... I will play with it and release it tomorrow.