Wildcard in JSON path for claims_map

[viico]

Version Information

Server Version: 2.43.0

Environment

Self hosted with docker-compose (docker tag hasura/graphql-engine:v2.43.0).

Context

We use Hasura with Casdoor, we follow this 2 docs :

• https://casdoor.org/docs/integration/Haskell/Hasura
• https://hasura.io/learn/graphql/hasura-authentication/integrations/casdoor/

We use claims_map to map x-hasura-allowed-roles, x-hasura-default-role and x-hasura-user-id fields from the casdoor token fields. Here is our value for HASURA_GRAPHQL_JWT_SECRET environment variable.

{
    "claims_map": {
        "x-hasura-allowed-roles": {
            "path": "$.roles[\"*\"].name"
        },
        "x-hasura-default-role": {
            "path": "$.roles[0].name"
        },
        "x-hasura-user-id": {
            "path": "$.id"
        }
    },
    "jwk_url": "https://casdoor.d2d.sncf.fr/.well-known/jwks"
}

What is the current behaviour?

We have a problem on the x-hasura-allowed-roles field, the error from Hasura is : 'JWT claim does not contain "x-hasura-allowed-roles.

• we verify the token sent to Hasura and we have 2 role objects in the roles array (with name field)
• all the authentication works well when we define a default value for x-hasura-allowed-roles in the claims_map

I guess problem come from the JSON path $.roles[\"*\"].name, we try different solution :

• "$.roles[*].name", error at startup : Fatal Error:- Environment variable HASURA_GRAPHQL_JWT_SECRET: Error in $['claims_map']: $.roles[*].name. Accept letters, digits, underscore (_) or hyphen (-) only. Use quotes enclosed in bracket (["..."]) if there is any special character
• "$.roles['*'].name", same error : 'JWT claim does not contain "x-hasura-allowed-roles

What is the expected behaviour?

x-hasura-allowed-roles field contains an array of role name's provided by the casdoor token.

How to reproduce the issue?

1. follow the doc for setup casdoor and hasura
2. create a user in casdoor with hasura's role
3. use the image hasura/graphql-engine:v2.43.0 in the docker-compose file
4. set environment variable : - HASURA_GRAPHQL_JWT_SECRET={"claims_map":{"x-hasura-allowed-roles":{"path":"$$.roles[\"*\"].name"},"x-hasura-default-role":{"path":"$$.roles[0].name"},"x-hasura-user-id":{"path":"$$.id"}},"jwk_url":"https://casdoor.d2d.sncf.fr/.well-known/jwks"}
5. try to call hasura with a casdoor user token

[Kalcode]

Same issue and casdoor repo issues state the same thing

https://casdoor.org/docs/integration/Haskell/Hasura/#build-the-hasura-app

HASURA_GRAPHQL_JWT_SECRET: '{"claims_map": {
      "x-hasura-allowed-roles": {"path": "$.roles"},
      "x-hasura-default-role": {"path": "$.roles[0]"},
      "x-hasura-user-id": {"path": "$.id"}
    },"jwk_url":"<Casdoor endpoint>/.well-known/jwks"}'

But the roles are objects nested

{
  "roles": [
    {
      "name": "admin" // <--- need this
    }
  ]
}

[hgiasac]

Hi @Kalcode , @viico,

At this moment, Hasura v2 doesn't support the wildcard array selector. Currently, only object properties and array index are supported, for example: .foo.bar, .foo.bar[0].

However, you can workaround this by hard-coding the x-hasura-allowed-roles value if you already know the list of roles. For example:

{
  "claims_map": {
    "x-hasura-allowed-roles": ["admin", "user"],
    "x-hasura-default-role": { "path": "$.roles[0]" },
    "x-hasura-user-id": { "path": "$.id" }
  },
  "jwk_url": "<Casdoor endpoint>/.well-known/jwks"
}