Organizr: JWT claims removed from token

Created on 4 Feb 2021  路  7Comments  路  Source: causefx/Organizr

Organizr Version: V 2.1.184
Branch: Master/Develop
WebServer: Caddy V2
Operating System: Windows/MacOS/Ubuntu - Yes

Problem Description:

Seems that most of the user specific claims were removed from the jwt token in commit 10019633bea1e5635e14c75b06e09c1d54bf4507

Are any of these going to be re-added at any point? Unless there's another way that I've missed, it seems like the only way to successfully authenticate with Organizr using Caddy 2 is using the caddy-auth-jwt plugin for Caddy V2, which doesn't allow you to specify unique claims.

I've been able to get logged in / vs. not logged in authentication working in Caddy 2, but cannot limit hosts based on user group due to "group" being removed from the organizr token. Would be awesome if at least "group" could be re-added to the token at some point to enable jwt token at some point so Organizr auth can be fully functional with Caddy 2.

_(I've documented my exhaustive journey getting Caddy 2 working with Organizr JWT and am writing up a blog post on it as soon as I have it working with group specification, I'll share the link once it's done)_


Reproduction Steps:

examine the organizr_token

Only iss, aud, jti, iat, exp, & userID are passed - username, group, groupID, email, & image are missing. Need at least group for caddy 2 jwt auth to work properly.


Most helpful comment

Yeah, I was trying to cut down on the length of the token to limit the cookie sizes... I will play with it and release it tomorrow.

All 7 comments

Thanks for posting this, I thought I was going crazy. I updated Organizr and I also noticed the JWT claims had disappeared. I'm also using caddy-auth-jwt.

I was debating rolling back the Organizr version or perhaps using the UserId fields in the meantime (less than ideal).

I can add back in the GroupID

Hmm, actually I believe we need one of the following fields in the JWT:

  • roles
  • role
  • group
  • groups
  • app_metadata - authorization - roles
  • realm_access - roles

https://github.com/greenpau/caddy-auth-jwt#sources-of-role-information

I didn't see a way to use a custom roles field. It looks like it is a future feature. If possible, it would be great to add back the group field.

i can have group return the group id. would that work?

api/classes/organizr.class.php:

->withClaim('group', strval($result['group_id']))// Configures a new claim, called "groupID"

The Caddy middleware expects the claim to be a string, otherwise it throws an error about the claim being a float. If I convert the field to a string, everything works fine. I'm not a PHP dev so that string conversion was from a Google search :-P.

The Caddyfile changes look like this:

        jwt {
            allow roles Admin Co-Admin
        }

to

        jwt {
            allow roles 0 1
        }

jwt:

{
  "iss": "Organizr",
  "aud": "Organizr",
  // ...
  "group": "0",
  "userID": 1
}

Does this sound reasonable to you @Maxtoid @causefx ?

Yeah I think either having group return group ID, or honestly just even putting group back in and returning the name of the group would work; the way the JWT plugin processes the strings, it would be easier to just allow roles admin, co-admin, or superuser. But if the size of the token is the concern we should be able to get the JWT token to work with the group ID as the group claim too.

Yeah, I was trying to cut down on the length of the token to limit the cookie sizes... I will play with it and release it tomorrow.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

romquenin picture romquenin  路  3Comments

xavier84 picture xavier84  路  5Comments

Ryonez picture Ryonez  路  6Comments

mishac picture mishac  路  4Comments

Cookie-Monster-Coder picture Cookie-Monster-Coder  路  5Comments