Include multiple permissions in one RPT #5809

siedlejo · 2023-08-09T07:52:33Z

siedlejo
Aug 9, 2023

Hi all, I've got a question regarding UMA RPT tokens: According to the UMA specification it is possible to include multiple permissions in one RPT. In order to do so, the permission ticket request (using /host/rsrc_pr) should contain multiple resources. However, if I do this in Janssen, only one of the specified resources is included in the final RPT. Is is possible at all to have multiple permissions in one RPT or does Janssen not support this functionality?

Here are my requests:

I verified, that all of the referenced resources exist using the endpoint /host/rsrc/resource_set:
Response:

[
  "24e53879-94ca-4823-848e-e5046701c684",
  "c1d83f0d-03b8-4e62-b3aa-a2d7db1aff23",
  "ee5d0c29-fe4b-4b6c-ab27-967db67230ea"
]

I create a permission ticket using the endpoint /host/rsrc_pr with the body:

[
  {
    "resource_id":"24e53879-94ca-4823-848e-e5046701c684",
    "resource_scopes": [
      "use"
    ]
  },
  {
    "resource_id":"ee5d0c29-fe4b-4b6c-ab27-967db67230ea",
    "resource_scopes": [
      "use"
    ]
  }
]

Response:

{
  "ticket": "3ba97a4e-94cf-44d1-a574-cb4b77b0cef4"
}

I fetch the RPT using the endpoint /token with grant_type=urn:ietf:params:oauth:grant-type:uma-ticket and ticket=3ba97a4e-94cf-44d1-a574-cb4b77b0cef4
Response:

{
  "access_token": "2f344334-7dc9-4f27-a358-52665976d891_78A8.5A79.DF8A.A71D.BD6F.E0B4.886D.2E9D",
  "token_type": "Bearer",
  "pct": "10b8620c-9bc5-4572-8ddc-5417e477b9fb",
  "upgraded": false
}

I lookup the content of the RPT using the endpoint /rpt/status:
Response (shortened):

{
  "sub": "5GpbCOmOWOPCU4kSuuNtgRAj7HA-gjPsXgf9pDajY2E",
  "aud": "6ea5a2cc-2ead-4200-aa7c-56bb6233ad96",
  "permissions": [
    {
      "resource_scopes": [
        "use"
      ],
      "resource_id": "24e53879-94ca-4823-848e-e5046701c684",
      "exp": 1691568866,
      "params": null
    }
  ],
"active": true,
"exp": 1691568888,
"iat": 1691565288
}

However, my expected response to the last request would be smth like this (both resources listed under permissions):

{
  "sub": "5GpbCOmOWOPCU4kSuuNtgRAj7HA-gjPsXgf9pDajY2E",
  "aud": "6ea5a2cc-2ead-4200-aa7c-56bb6233ad96",
  "permissions": [
    {
      "resource_scopes": [
        "approve"
      ],
      "resource_id": "24e53879-94ca-4823-848e-e5046701c684",
      "exp": 1691568866,
      "params": null
    },
    {
      "resource_scopes": [
        "approve"
      ],
      "resource_id": "ee5d0c29-fe4b-4b6c-ab27-967db67230ea",
      "exp": 1691568866,
      "params": null
    }
  ],
"active": true,
"exp": 1691568888,
"iat": 1691565288
}

I also verified that the specified user is permitted to use both ressources by doing two seperate requests including only one permission. This is working as expected. Only when asking for two permissions in one single request I am experiencing the described unexpected behaviour. Therefore my question: Is this intended behaviour or am I missing something?

Answered by yuriyz

Aug 9, 2023

Hmm, request looks good to me. It must be bug. As workaround simply run it one by one.

Opened bug report to invetigate and fix #5814

View full answer

ossdhaval · 2023-08-09T08:33:54Z

ossdhaval
Aug 9, 2023
Maintainer

Welcome @siedlejo to the Janssen discussions. Adding @yuriyz for comments.

0 replies

yuriyz · 2023-08-09T10:59:31Z

yuriyz
Aug 9, 2023
Maintainer

AS authorizes all permissions associated with the ticket. So in scenario described above if permissions are valid both has to be present in RPT introspection.

You can see how it's added here

Is it possible that the other permission is expired? When RPT introspection response is build, AS filters out invalid permissions. See this line.

If permission is not valid AS prints logs about it as you can see from link above.

To better understand what is going on, the best is :

Turn on TRACE log level
Reproduce case described above
Provide LDIF or JSON of: a) RPT entry from persistence b) permissions entries
Provide umaTicketLifetime AS configuration value
Give full jans-auth.log (with TRACE log level enabled).

3 replies

siedlejo Aug 9, 2023
Author

Good to know that this feature is generally supported. I just checked the log files and think that I found the reason for this behaviour. It seems like the auth module tries to add two seperate permissions entries having the same identifier, which results in a duplicate. Can you confirm that my request body is valid or am I doing smth wrong?

Here are the relevant log lines:

2023-08-09 14:11:32,325 TRACE [Thread-525]  [jans.as.server.service.ciba.CibaRequestsProcessorJob] (CibaRequestsProcessorJob.java:103) - Starting conditions aren't reached for CIBA requestes processor
2023-08-09 14:11:33,485 TRACE [qtp574434418-16] 94171ba1-22a4-41bb-846a-826eb8a96c44 [io.jans.server.filters.AbstractCorsFilter] (AbstractCorsFilter.java:759) - setContextClientAllowedOrigins: null
2023-08-09 14:11:33,485 TRACE [qtp574434418-16] 94171ba1-22a4-41bb-846a-826eb8a96c44 [io.jans.server.filters.AbstractCorsFilter] (AbstractCorsFilter.java:805) - before doFilter: request method POST to URI /jans-auth/restv1/host/rsrc_pr, corsType NOT_CORS, attributes [org.jboss.weld.module.web.servlet.ConversationContextActivator.contextActivatedInRequest = true,org.jboss.weld.context.ignore.guard.marker = java.lang.Object@2640a2cc], headers [Cookie = X-Correlation-Id=4950cdfb-0143-4cf1-b5ac-624381fb4bbe,Authorization = Bearer eyJraWQiOiJjb25uZWN0X2M0MjdlOTUwLThhNmItNDcxYy05MjZmLWQ2ZmIyNGFiMzY0M19zaWdfcnMyNTYiLCJ0eXAiOiJqd3QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI2ZWE1YTJjYy0yZWFkLTQyMDAtYWE3Yy01NmJiNjIzM2FkOTYiLCJzdWIiOiI1R3BiQ09tT1dPUENVNGtTdXVOdGdSQWo3SEEtZ2pQc1hnZjlwRGFqWTJFIiwieDV0I1MyNTYiOiIiLCJjb2RlIjoiNzAxZDkzZDItNzRjYS00MjM4LWExNDAtYjE4ZTQ2Y2E3M2FmIiwic2NvcGUiOlsidW1hX3Byb3RlY3Rpb24iXSwiaXNzIjoiaHR0cHM6Ly9nbHV1IiwidG9rZW5fdHlwZSI6IkJlYXJlciIsImV4cCI6MTY5MTc2MTEzNSwiaWF0IjoxNjkxNTg4NTYwLCJjbGllbnRfaWQiOiI2ZWE1YTJjYy0yZWFkLTQyMDAtYWE3Yy01NmJiNjIzM2FkOTYiLCJ1c2VybmFtZSI6IlYxIn0.aSPu7e8zxshuDxKHk4R3Dhv1vJFNVujSK9ixrb-bUZerxkRweIGDpqgXxfco-trbM24bxJuJxAC5YbK1CCkSKmHletou8irdxp9gBDPGa3w4tgm-j2YPcFi2Myqg4hUIX2BE0TD8E-yyx3Xc4qI_1osl0ZTci-GuGZoV2YDZM79wJ8VeURGLunnHYcfVHYH30o93n1g8OcqHbH0YeJt5FISFTKcAeXieaxuSFyg5e3WVSKIdydJViQDakI02x7keQabhddsxfWomE1y5lBn4BbFncrqP_PLsUK886yjH5BMiNQRZ3asacsDtuBrNH5Uxi-p_2fD_8iZQvVeewu69zA,Accept = */*,User-Agent = insomnia/2023.4.0,X-Forwarded-Proto = https,X-Forwarded-Host = gluu,Connection = keep-alive,X-Forwarded-For = 172.23.0.1,Host = gluu,Content-Length = 208,X-Forwarded-Server = gluu,Content-Type = application/json]
2023-08-09 14:11:33,485 TRACE [qtp574434418-16] 94171ba1-22a4-41bb-846a-826eb8a96c44 [io.jans.server.filters.AbstractCorsFilter] (AbstractCorsFilter.java:805) - before decorateCORSProperties: request method POST to URI /jans-auth/restv1/host/rsrc_pr, corsType NOT_CORS, attributes [org.jboss.weld.module.web.servlet.ConversationContextActivator.contextActivatedInRequest = true,org.jboss.weld.context.ignore.guard.marker = java.lang.Object@2640a2cc], headers [Cookie = X-Correlation-Id=4950cdfb-0143-4cf1-b5ac-624381fb4bbe,Authorization = Bearer eyJraWQiOiJjb25uZWN0X2M0MjdlOTUwLThhNmItNDcxYy05MjZmLWQ2ZmIyNGFiMzY0M19zaWdfcnMyNTYiLCJ0eXAiOiJqd3QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI2ZWE1YTJjYy0yZWFkLTQyMDAtYWE3Yy01NmJiNjIzM2FkOTYiLCJzdWIiOiI1R3BiQ09tT1dPUENVNGtTdXVOdGdSQWo3SEEtZ2pQc1hnZjlwRGFqWTJFIiwieDV0I1MyNTYiOiIiLCJjb2RlIjoiNzAxZDkzZDItNzRjYS00MjM4LWExNDAtYjE4ZTQ2Y2E3M2FmIiwic2NvcGUiOlsidW1hX3Byb3RlY3Rpb24iXSwiaXNzIjoiaHR0cHM6Ly9nbHV1IiwidG9rZW5fdHlwZSI6IkJlYXJlciIsImV4cCI6MTY5MTc2MTEzNSwiaWF0IjoxNjkxNTg4NTYwLCJjbGllbnRfaWQiOiI2ZWE1YTJjYy0yZWFkLTQyMDAtYWE3Yy01NmJiNjIzM2FkOTYiLCJ1c2VybmFtZSI6IlYxIn0.aSPu7e8zxshuDxKHk4R3Dhv1vJFNVujSK9ixrb-bUZerxkRweIGDpqgXxfco-trbM24bxJuJxAC5YbK1CCkSKmHletou8irdxp9gBDPGa3w4tgm-j2YPcFi2Myqg4hUIX2BE0TD8E-yyx3Xc4qI_1osl0ZTci-GuGZoV2YDZM79wJ8VeURGLunnHYcfVHYH30o93n1g8OcqHbH0YeJt5FISFTKcAeXieaxuSFyg5e3WVSKIdydJViQDakI02x7keQabhddsxfWomE1y5lBn4BbFncrqP_PLsUK886yjH5BMiNQRZ3asacsDtuBrNH5Uxi-p_2fD_8iZQvVeewu69zA,Accept = */*,User-Agent = insomnia/2023.4.0,X-Forwarded-Proto = https,X-Forwarded-Host = gluu,Connection = keep-alive,X-Forwarded-For = 172.23.0.1,Host = gluu,Content-Length = 208,X-Forwarded-Server = gluu,Content-Type = application/json]
2023-08-09 14:11:33,486 TRACE [qtp574434418-16] 94171ba1-22a4-41bb-846a-826eb8a96c44 [io.jans.server.filters.AbstractCorsFilter] (AbstractCorsFilter.java:805) - after decorateCORSProperties: request method POST to URI /jans-auth/restv1/host/rsrc_pr, corsType NOT_CORS, attributes [cors.isCorsRequest = false,org.jboss.weld.module.web.servlet.ConversationContextActivator.contextActivatedInRequest = true,org.jboss.weld.context.ignore.guard.marker = java.lang.Object@2640a2cc], headers [Cookie = X-Correlation-Id=4950cdfb-0143-4cf1-b5ac-624381fb4bbe,Authorization = Bearer eyJraWQiOiJjb25uZWN0X2M0MjdlOTUwLThhNmItNDcxYy05MjZmLWQ2ZmIyNGFiMzY0M19zaWdfcnMyNTYiLCJ0eXAiOiJqd3QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI2ZWE1YTJjYy0yZWFkLTQyMDAtYWE3Yy01NmJiNjIzM2FkOTYiLCJzdWIiOiI1R3BiQ09tT1dPUENVNGtTdXVOdGdSQWo3SEEtZ2pQc1hnZjlwRGFqWTJFIiwieDV0I1MyNTYiOiIiLCJjb2RlIjoiNzAxZDkzZDItNzRjYS00MjM4LWExNDAtYjE4ZTQ2Y2E3M2FmIiwic2NvcGUiOlsidW1hX3Byb3RlY3Rpb24iXSwiaXNzIjoiaHR0cHM6Ly9nbHV1IiwidG9rZW5fdHlwZSI6IkJlYXJlciIsImV4cCI6MTY5MTc2MTEzNSwiaWF0IjoxNjkxNTg4NTYwLCJjbGllbnRfaWQiOiI2ZWE1YTJjYy0yZWFkLTQyMDAtYWE3Yy01NmJiNjIzM2FkOTYiLCJ1c2VybmFtZSI6IlYxIn0.aSPu7e8zxshuDxKHk4R3Dhv1vJFNVujSK9ixrb-bUZerxkRweIGDpqgXxfco-trbM24bxJuJxAC5YbK1CCkSKmHletou8irdxp9gBDPGa3w4tgm-j2YPcFi2Myqg4hUIX2BE0TD8E-yyx3Xc4qI_1osl0ZTci-GuGZoV2YDZM79wJ8VeURGLunnHYcfVHYH30o93n1g8OcqHbH0YeJt5FISFTKcAeXieaxuSFyg5e3WVSKIdydJViQDakI02x7keQabhddsxfWomE1y5lBn4BbFncrqP_PLsUK886yjH5BMiNQRZ3asacsDtuBrNH5Uxi-p_2fD_8iZQvVeewu69zA,Accept = */*,User-Agent = insomnia/2023.4.0,X-Forwarded-Proto = https,X-Forwarded-Host = gluu,Connection = keep-alive,X-Forwarded-For = 172.23.0.1,Host = gluu,Content-Length = 208,X-Forwarded-Server = gluu,Content-Type = application/json]
2023-08-09 14:11:33,493 TRACE [qtp574434418-16] e46df1b4-d244-4b6d-a1bc-5cd1b00d0ec9 [jans.as.server.uma.service.UmaValidationService] (UmaValidationService.java:129) - Validate authorization: Bearer eyJraWQiOiJjb25uZWN0X2M0MjdlOTUwLThhNmItNDcxYy05MjZmLWQ2ZmIyNGFiMzY0M19zaWdfcnMyNTYiLCJ0eXAiOiJqd3QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI2ZWE1YTJjYy0yZWFkLTQyMDAtYWE3Yy01NmJiNjIzM2FkOTYiLCJzdWIiOiI1R3BiQ09tT1dPUENVNGtTdXVOdGdSQWo3SEEtZ2pQc1hnZjlwRGFqWTJFIiwieDV0I1MyNTYiOiIiLCJjb2RlIjoiNzAxZDkzZDItNzRjYS00MjM4LWExNDAtYjE4ZTQ2Y2E3M2FmIiwic2NvcGUiOlsidW1hX3Byb3RlY3Rpb24iXSwiaXNzIjoiaHR0cHM6Ly9nbHV1IiwidG9rZW5fdHlwZSI6IkJlYXJlciIsImV4cCI6MTY5MTc2MTEzNSwiaWF0IjoxNjkxNTg4NTYwLCJjbGllbnRfaWQiOiI2ZWE1YTJjYy0yZWFkLTQyMDAtYWE3Yy01NmJiNjIzM2FkOTYiLCJ1c2VybmFtZSI6IlYxIn0.aSPu7e8zxshuDxKHk4R3Dhv1vJFNVujSK9ixrb-bUZerxkRweIGDpqgXxfco-trbM24bxJuJxAC5YbK1CCkSKmHletou8irdxp9gBDPGa3w4tgm-j2YPcFi2Myqg4hUIX2BE0TD8E-yyx3Xc4qI_1osl0ZTci-GuGZoV2YDZM79wJ8VeURGLunnHYcfVHYH30o93n1g8OcqHbH0YeJt5FISFTKcAeXieaxuSFyg5e3WVSKIdydJViQDakI02x7keQabhddsxfWomE1y5lBn4BbFncrqP_PLsUK886yjH5BMiNQRZ3asacsDtuBrNH5Uxi-p_2fD_8iZQvVeewu69zA
2023-08-09 14:11:33,493 TRACE [qtp574434418-16] e46df1b4-d244-4b6d-a1bc-5cd1b00d0ec9 [io.jans.service.BaseCacheService] (BaseCacheService.java:38) - Request data, key 'f8a874a612076d44428769c446e22c183b69f8c1136d4d2a9a822b5e3bc2ab8e'
2023-08-09 14:11:33,497 TRACE [qtp574434418-16] e46df1b4-d244-4b6d-a1bc-5cd1b00d0ec9 [io.jans.service.BaseCacheService] (BaseCacheService.java:40) - Loaded data, key 'f8a874a612076d44428769c446e22c183b69f8c1136d4d2a9a822b5e3bc2ab8e': 'null'
2023-08-09 14:11:33,500 DEBUG [qtp574434418-16] e46df1b4-d244-4b6d-a1bc-5cd1b00d0ec9 [jans.as.common.service.common.UserService] (UserService.java:78) - Getting user information from LDAP: userId = V1
2023-08-09 14:11:33,509 DEBUG [qtp574434418-16] e46df1b4-d244-4b6d-a1bc-5cd1b00d0ec9 [jans.as.common.service.common.UserService] (UserService.java:93) - Found 1 entries for user id = V1
2023-08-09 14:11:33,509 TRACE [qtp574434418-16] e46df1b4-d244-4b6d-a1bc-5cd1b00d0ec9 [io.jans.service.BaseCacheService] (BaseCacheService.java:38) - Request data, key 'inum=6ea5a2cc-2ead-4200-aa7c-56bb6233ad96,ou=clients,o=jans'
2023-08-09 14:11:33,509 TRACE [qtp574434418-16] e46df1b4-d244-4b6d-a1bc-5cd1b00d0ec9 [io.jans.service.BaseCacheService] (BaseCacheService.java:40) - Loaded data, key 'inum=6ea5a2cc-2ead-4200-aa7c-56bb6233ad96,ou=clients,o=jans': 'null'
2023-08-09 14:11:33,509 TRACE [qtp574434418-16] e46df1b4-d244-4b6d-a1bc-5cd1b00d0ec9 [io.jans.service.BaseCacheService] (BaseCacheService.java:62) - Key not in cache. Searching value via load function, key: 'inum=6ea5a2cc-2ead-4200-aa7c-56bb6233ad96,ou=clients,o=jans'
2023-08-09 14:11:33,526 TRACE [qtp574434418-16] e46df1b4-d244-4b6d-a1bc-5cd1b00d0ec9 [io.jans.service.BaseCacheService] (BaseCacheService.java:85) - Put data, key 'inum=6ea5a2cc-2ead-4200-aa7c-56bb6233ad96,ou=clients,o=jans': 'DeletableEntity{expirationDate=null, deletable=false} BaseEntry [dn=inum=6ea5a2cc-2ead-4200-aa7c-56bb6233ad96,ou=clients,o=jans]'
2023-08-09 14:11:33,527 DEBUG [qtp574434418-16] e46df1b4-d244-4b6d-a1bc-5cd1b00d0ec9 [io.jans.as.server.service.ClientService] (ClientService.java:152) - Found 1 entries for client id = 6ea5a2cc-2ead-4200-aa7c-56bb6233ad96
2023-08-09 14:11:33,539 TRACE [qtp574434418-16] e46df1b4-d244-4b6d-a1bc-5cd1b00d0ec9 [io.jans.service.BaseCacheService] (BaseCacheService.java:53) - Loading data from DB without cache, key 'jansId=ee5d0c29-fe4b-4b6c-ab27-967db67230ea,ou=resources,ou=uma,o=jans'
2023-08-09 14:11:33,556 TRACE [qtp574434418-16] e46df1b4-d244-4b6d-a1bc-5cd1b00d0ec9 [io.jans.service.BaseCacheService] (BaseCacheService.java:53) - Loading data from DB without cache, key 'jansId=24e53879-94ca-4823-848e-e5046701c684,ou=resources,ou=uma,o=jans'
2023-08-09 14:11:33,570 TRACE [qtp574434418-16] e46df1b4-d244-4b6d-a1bc-5cd1b00d0ec9 [io.jans.service.BaseCacheService] (BaseCacheService.java:38) - Request data, key 'f8a874a612076d44428769c446e22c183b69f8c1136d4d2a9a822b5e3bc2ab8e'
2023-08-09 14:11:33,575 TRACE [qtp574434418-16] e46df1b4-d244-4b6d-a1bc-5cd1b00d0ec9 [io.jans.service.BaseCacheService] (BaseCacheService.java:40) - Loaded data, key 'f8a874a612076d44428769c446e22c183b69f8c1136d4d2a9a822b5e3bc2ab8e': 'null'
2023-08-09 14:11:33,578 DEBUG [qtp574434418-16] e46df1b4-d244-4b6d-a1bc-5cd1b00d0ec9 [jans.as.common.service.common.UserService] (UserService.java:78) - Getting user information from LDAP: userId = V1
2023-08-09 14:11:33,586 DEBUG [qtp574434418-16] e46df1b4-d244-4b6d-a1bc-5cd1b00d0ec9 [jans.as.common.service.common.UserService] (UserService.java:93) - Found 1 entries for user id = V1
2023-08-09 14:11:33,586 TRACE [qtp574434418-16] e46df1b4-d244-4b6d-a1bc-5cd1b00d0ec9 [io.jans.service.BaseCacheService] (BaseCacheService.java:38) - Request data, key 'inum=6ea5a2cc-2ead-4200-aa7c-56bb6233ad96,ou=clients,o=jans'
2023-08-09 14:11:33,586 TRACE [qtp574434418-16] e46df1b4-d244-4b6d-a1bc-5cd1b00d0ec9 [io.jans.service.BaseCacheService] (BaseCacheService.java:40) - Loaded data, key 'inum=6ea5a2cc-2ead-4200-aa7c-56bb6233ad96,ou=clients,o=jans': 'DeletableEntity{expirationDate=null, deletable=false} BaseEntry [dn=inum=6ea5a2cc-2ead-4200-aa7c-56bb6233ad96,ou=clients,o=jans]'
2023-08-09 14:11:33,586 TRACE [qtp574434418-16] e46df1b4-d244-4b6d-a1bc-5cd1b00d0ec9 [io.jans.service.BaseCacheService] (BaseCacheService.java:59) - Loaded from cache, key: 'inum=6ea5a2cc-2ead-4200-aa7c-56bb6233ad96,ou=clients,o=jans'
2023-08-09 14:11:33,586 DEBUG [qtp574434418-16] e46df1b4-d244-4b6d-a1bc-5cd1b00d0ec9 [io.jans.as.server.service.ClientService] (ClientService.java:152) - Found 1 entries for client id = 6ea5a2cc-2ead-4200-aa7c-56bb6233ad96
2023-08-09 14:11:33,587 TRACE [qtp574434418-16] e46df1b4-d244-4b6d-a1bc-5cd1b00d0ec9 [jans.as.server.uma.service.UmaScopeService] (UmaScopeService.java:222) - Uma scope ids: [approve], ldapFilter: (|(jansId=approve))
2023-08-09 14:11:33,591 TRACE [qtp574434418-16] e46df1b4-d244-4b6d-a1bc-5cd1b00d0ec9 [jans.as.server.uma.service.UmaScopeService] (UmaScopeService.java:222) - Uma scope ids: [approve], ldapFilter: (|(jansId=approve))
2023-08-09 14:11:33,603 ERROR [qtp574434418-16] e46df1b4-d244-4b6d-a1bc-5cd1b00d0ec9 [jans.as.server.uma.service.UmaPermissionService] (UmaPermissionService.java:119) - Failed to persist entry: 'jansTicket=90df84e9-f8d6-4832-b04b-04e860782e97,ou=uma_permission,inum=6ea5a2cc-2ead-4200-aa7c-56bb6233ad96,ou=clients,o=jans'
io.jans.orm.exception.EntryPersistenceException: Failed to persist entry: 'jansTicket=90df84e9-f8d6-4832-b04b-04e860782e97,ou=uma_permission,inum=6ea5a2cc-2ead-4200-aa7c-56bb6233ad96,ou=clients,o=jans'
	at io.jans.orm.sql.impl.SqlEntryManager.persist(SqlEntryManager.java:217) ~[jans-orm-sql-1.0.17-SNAPSHOT.jar:?]
	at io.jans.orm.impl.BaseEntryManager.persist(BaseEntryManager.java:115) ~[jans-orm-core-1.0.17-SNAPSHOT.jar:?]
	at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
	at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
	at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
	at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
	at org.jboss.weld.bean.proxy.AbstractBeanInstance.invoke(AbstractBeanInstance.java:38) ~[weld-core-impl-4.0.3.Final.jar:4.0.3.Final]
	at org.jboss.weld.bean.proxy.ProxyMethodHandler.invoke(ProxyMethodHandler.java:106) ~[weld-core-impl-4.0.3.Final.jar:4.0.3.Final]
	at io.jans.orm.PersistenceEntryManager$EntityManager$2057902728$Proxy$_$$_WeldClientProxy.persist(Unknown Source) ~[jans-orm-core-1.0.17-SNAPSHOT.jar:?]
	at io.jans.as.server.uma.service.UmaPermissionService.addPermission(UmaPermissionService.java:117) ~[classes/:?]
	at io.jans.as.server.uma.service.UmaPermissionService.addPermission(UmaPermissionService.java:91) ~[classes/:?]
	at io.jans.as.server.uma.ws.rs.UmaPermissionRegistrationWS.registerPermission(UmaPermissionRegistrationWS.java:84) ~[classes/:?]
	at io.jans.as.server.uma.ws.rs.UmaPermissionRegistrationWS$Proxy$_$$_WeldClientProxy.registerPermission(Unknown Source) ~[classes/:?]
	at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
	at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
	at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
	at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:170) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
	at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:660) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:524) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
	at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:474) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
	at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:476) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:434) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:408) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:69) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:492) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
	at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
	at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
	at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
	at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
	at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:249) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:60) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55) ~[resteasy-core-6.0.3.Final.jar:6.0.3.Final]
	at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:587) ~[jetty-jakarta-servlet-api-5.0.2.jar:?]
	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:764) ~[?:?]
	at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1665) ~[?:?]
	at io.jans.as.server.audit.debug.ServletLoggingFilter.doFilter(ServletLoggingFilter.java:69) ~[classes/:?]
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:210) ~[jetty-servlet-11.0.15.jar:11.0.15]
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) ~[jetty-servlet-11.0.15.jar:11.0.15]
	at io.jans.as.server.filter.CorrelationIdFilter.doFilter(CorrelationIdFilter.java:49) ~[classes/:?]
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) ~[jetty-servlet-11.0.15.jar:11.0.15]
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) ~[jetty-servlet-11.0.15.jar:11.0.15]
	at io.jans.server.filters.AbstractCorsFilter.handleNonCORS(AbstractCorsFilter.java:357) ~[jans-core-server-1.0.17-SNAPSHOT.jar:?]
	at io.jans.server.filters.AbstractCorsFilter.doFilter(AbstractCorsFilter.java:123) ~[jans-core-server-1.0.17-SNAPSHOT.jar:?]
	at io.jans.as.server.filter.CorsFilter.doFilter(CorsFilter.java:116) ~[classes/:?]
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) ~[jetty-servlet-11.0.15.jar:11.0.15]
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) ~[jetty-servlet-11.0.15.jar:11.0.15]
	at org.eclipse.jetty.websocket.servlet.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:170) ~[websocket-servlet-11.0.15.jar:11.0.15]
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) ~[jetty-servlet-11.0.15.jar:11.0.15]
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) ~[jetty-servlet-11.0.15.jar:11.0.15]
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:527) ~[jetty-servlet-11.0.15.jar:11.0.15]
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:131) ~[?:?]
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:578) ~[jetty-security-11.0.15.jar:11.0.15]
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) ~[?:?]
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:223) ~[?:?]
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1570) ~[jetty-server-11.0.15.jar:11.0.15]
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221) ~[?:?]
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1381) ~[jetty-server-11.0.15.jar:11.0.15]
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176) ~[?:?]
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484) ~[jetty-servlet-11.0.15.jar:11.0.15]
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1543) ~[jetty-server-11.0.15.jar:11.0.15]
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174) ~[?:?]
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1303) ~[jetty-server-11.0.15.jar:11.0.15]
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129) ~[?:?]
	at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:192) ~[?:?]
	at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:51) ~[?:?]
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) ~[?:?]
	at org.eclipse.jetty.server.Server.handle(Server.java:563) ~[?:?]
	at org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:505) ~[?:?]
	at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762) ~[?:?]
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497) ~[?:?]
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282) ~[?:?]
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314) ~[?:?]
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100) ~[?:?]
	at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53) ~[?:?]
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:969) ~[?:?]
	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1194) ~[?:?]
	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1149) ~[?:?]
	at java.lang.Thread.run(Thread.java:829) ~[?:?]
Caused by: io.jans.orm.exception.operation.PersistenceException: Failed to add entry
	at io.jans.orm.sql.operation.impl.SqlOperationServiceImpl.addEntryImpl(SqlOperationServiceImpl.java:213) ~[jans-orm-sql-1.0.17-SNAPSHOT.jar:?]
	at io.jans.orm.sql.operation.impl.SqlOperationServiceImpl.addEntry(SqlOperationServiceImpl.java:177) ~[jans-orm-sql-1.0.17-SNAPSHOT.jar:?]
	at io.jans.orm.sql.impl.SqlEntryManager.persist(SqlEntryManager.java:212) ~[jans-orm-sql-1.0.17-SNAPSHOT.jar:?]
	... 81 more
Caused by: com.querydsl.core.QueryException: Caught SQLIntegrityConstraintViolationException for insert into gluu.jansUmaResourcePermission (jansAttrs, jansConfCode, del, exp, jansResourceSetId, jansUmaScope, jansTicket, objectClass, dn, doc_id)
values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
	at com.querydsl.sql.DefaultSQLExceptionTranslator.translate(DefaultSQLExceptionTranslator.java:50) ~[querydsl-sql-4.4.0.jar:?]
	at com.querydsl.sql.Configuration.translate(Configuration.java:508) ~[querydsl-sql-4.4.0.jar:?]
	at com.querydsl.sql.dml.AbstractSQLInsertClause.execute(AbstractSQLInsertClause.java:437) ~[querydsl-sql-4.4.0.jar:?]
	at io.jans.orm.sql.operation.impl.SqlOperationServiceImpl.addEntryImpl(SqlOperationServiceImpl.java:209) ~[jans-orm-sql-1.0.17-SNAPSHOT.jar:?]
	at io.jans.orm.sql.operation.impl.SqlOperationServiceImpl.addEntry(SqlOperationServiceImpl.java:177) ~[jans-orm-sql-1.0.17-SNAPSHOT.jar:?]
	at io.jans.orm.sql.impl.SqlEntryManager.persist(SqlEntryManager.java:212) ~[jans-orm-sql-1.0.17-SNAPSHOT.jar:?]
	... 81 more
Caused by: java.sql.SQLIntegrityConstraintViolationException: Duplicate entry '90df84e9-f8d6-4832-b04b-04e860782e97' for key 'jansUmaResourcePermission.PRIMARY'
	at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:117) ~[mysql-connector-j-8.0.32.jar:8.0.32]
	at com.mysql.cj.jdbc.exceptions.SQLExceptionsMapping.translateException(SQLExceptionsMapping.java:122) ~[mysql-connector-j-8.0.32.jar:8.0.32]
	at com.mysql.cj.jdbc.ClientPreparedStatement.executeInternal(ClientPreparedStatement.java:916) ~[mysql-connector-j-8.0.32.jar:8.0.32]
	at com.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1061) ~[mysql-connector-j-8.0.32.jar:8.0.32]
	at com.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1009) ~[mysql-connector-j-8.0.32.jar:8.0.32]
	at com.mysql.cj.jdbc.ClientPreparedStatement.executeLargeUpdate(ClientPreparedStatement.java:1320) ~[mysql-connector-j-8.0.32.jar:8.0.32]
	at com.mysql.cj.jdbc.ClientPreparedStatement.executeUpdate(ClientPreparedStatement.java:994) ~[mysql-connector-j-8.0.32.jar:8.0.32]
	at org.apache.commons.dbcp2.DelegatingPreparedStatement.executeUpdate(DelegatingPreparedStatement.java:136) ~[commons-dbcp2-2.9.0.jar:2.9.0]
	at org.apache.commons.dbcp2.DelegatingPreparedStatement.executeUpdate(DelegatingPreparedStatement.java:136) ~[commons-dbcp2-2.9.0.jar:2.9.0]
	at com.querydsl.sql.dml.AbstractSQLInsertClause.execute(AbstractSQLInsertClause.java:415) ~[querydsl-sql-4.4.0.jar:?]
	at io.jans.orm.sql.operation.impl.SqlOperationServiceImpl.addEntryImpl(SqlOperationServiceImpl.java:209) ~[jans-orm-sql-1.0.17-SNAPSHOT.jar:?]
	at io.jans.orm.sql.operation.impl.SqlOperationServiceImpl.addEntry(SqlOperationServiceImpl.java:177) ~[jans-orm-sql-1.0.17-SNAPSHOT.jar:?]
	at io.jans.orm.sql.impl.SqlEntryManager.persist(SqlEntryManager.java:212) ~[jans-orm-sql-1.0.17-SNAPSHOT.jar:?]
	... 81 more
2023-08-09 14:11:33,638 TRACE [qtp574434418-16] e46df1b4-d244-4b6d-a1bc-5cd1b00d0ec9 [io.jans.server.filters.AbstractCorsFilter] (AbstractCorsFilter.java:805) - after doFilter: request method POST to URI /jans-auth/restv1/host/rsrc_pr, corsType NOT_CORS, attributes [cors.isCorsRequest = false,org.jboss.weld.module.web.servlet.ConversationContextActivator.contextActivatedInRequest = true,org.jboss.weld.context.ignore.guard.marker = java.lang.Object@2640a2cc,org.jboss.resteasy.core.ResourceMethodInvoker = org.jboss.resteasy.core.ResourceMethodInvoker@346418aa,org.jboss.weld.context.http.HttpRequestContext#WELD%ManagedBean%STATIC_INSTANCE|/jans-auth_/WEB-INF/classes|io.jans.as.server.uma.ws.rs.UmaPermissionRegistrationWS|null|1 = Bean: ForwardingBean null for Managed Bean [class io.jans.as.server.uma.ws.rs.UmaPermissionRegistrationWS] with qualifiers [@Any @Default]; Instance: io.jans.as.server.uma.ws.rs.UmaPermissionRegistrationWS@5336197f; CreationalContext: org.jboss.weld.contexts.CreationalContextImpl@4674106,RESTEASY_CHOSEN_ACCEPT = application/json;resteasy-server-has-produces=true], headers [Cookie = X-Correlation-Id=4950cdfb-0143-4cf1-b5ac-624381fb4bbe,Authorization = Bearer eyJraWQiOiJjb25uZWN0X2M0MjdlOTUwLThhNmItNDcxYy05MjZmLWQ2ZmIyNGFiMzY0M19zaWdfcnMyNTYiLCJ0eXAiOiJqd3QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI2ZWE1YTJjYy0yZWFkLTQyMDAtYWE3Yy01NmJiNjIzM2FkOTYiLCJzdWIiOiI1R3BiQ09tT1dPUENVNGtTdXVOdGdSQWo3SEEtZ2pQc1hnZjlwRGFqWTJFIiwieDV0I1MyNTYiOiIiLCJjb2RlIjoiNzAxZDkzZDItNzRjYS00MjM4LWExNDAtYjE4ZTQ2Y2E3M2FmIiwic2NvcGUiOlsidW1hX3Byb3RlY3Rpb24iXSwiaXNzIjoiaHR0cHM6Ly9nbHV1IiwidG9rZW5fdHlwZSI6IkJlYXJlciIsImV4cCI6MTY5MTc2MTEzNSwiaWF0IjoxNjkxNTg4NTYwLCJjbGllbnRfaWQiOiI2ZWE1YTJjYy0yZWFkLTQyMDAtYWE3Yy01NmJiNjIzM2FkOTYiLCJ1c2VybmFtZSI6IlYxIn0.aSPu7e8zxshuDxKHk4R3Dhv1vJFNVujSK9ixrb-bUZerxkRweIGDpqgXxfco-trbM24bxJuJxAC5YbK1CCkSKmHletou8irdxp9gBDPGa3w4tgm-j2YPcFi2Myqg4hUIX2BE0TD8E-yyx3Xc4qI_1osl0ZTci-GuGZoV2YDZM79wJ8VeURGLunnHYcfVHYH30o93n1g8OcqHbH0YeJt5FISFTKcAeXieaxuSFyg5e3WVSKIdydJViQDakI02x7keQabhddsxfWomE1y5lBn4BbFncrqP_PLsUK886yjH5BMiNQRZ3asacsDtuBrNH5Uxi-p_2fD_8iZQvVeewu69zA,Accept = */*,User-Agent = insomnia/2023.4.0,X-Forwarded-Proto = https,X-Forwarded-Host = gluu,Connection = keep-alive,X-Forwarded-For = 172.23.0.1,Host = gluu,Content-Length = 208,X-Forwarded-Server = gluu,Content-Type = application/json]
2023-08-09 14:11:36,740 DEBUG [Jans AuthScheduler_Worker-3]  [io.jans.service.timer.RequestJobListener] (RequestJobListener.java:59) - Bound request started
2023-08-09 14:11:36,741 DEBUG [Jans AuthScheduler_Worker-3]  [io.jans.service.timer.TimerJob] (TimerJob.java:42) - Fire timer event [io.jans.service.cdi.event.ConfigurationEvent] with qualifiers [@io.jans.service.cdi.event.Scheduled()] from instance 1415676752
2023-08-09 14:11:36,742 DEBUG [Jans AuthScheduler_Worker-3]  [io.jans.service.timer.RequestJobListener] (RequestJobListener.java:69) - Bound request ended
2023-08-09 14:11:36,747 TRACE [Thread-526]  [jans.as.server.model.config.ConfigurationFactory] (ConfigurationFactory.java:281) - LDAP revision: 14, server revision: 14

yuriyz Aug 9, 2023
Maintainer

Hmm, request looks good to me. It must be bug. As workaround simply run it one by one.

Opened bug report to invetigate and fix #5814

Answer selected by siedlejo

siedlejo Aug 9, 2023
Author

Alright, thank you for the confirmation.

siedlejo · 2023-08-09T14:38:12Z

siedlejo
Aug 9, 2023
Author

I also got another issue. I tried to change the "sub" value in the generated access tokens to the name of the requesting user. In order to do so, I set the property value "openidSubAttribute" to "givenName". However, the value in the generated JWT token does not change at all. I also tried other values for the property such as "uid" or "inum" but the result I get is always the same string (which btw seems to be random to me). Maybe I should also mention that I installed Janssen following the docker compose installation instructions (https://docs.jans.io/v1.0.16/admin/install/docker-install/compose/) which reference the following docker image ghcr.io/janssenproject/jans/monolith:1.0.14_dev. Just to be sure that this is not an issue caused by a deprecated version. Here is an excerpt of the decoded payload of my access token:

{
  "aud": "6ea5a2cc-2ead-4200-aa7c-56bb6233ad96",
  "sub": "5GpbCOmOWOPCU4kSuuNtgRAj7HA-gjPsXgf9pDajY2E",
  "scope": [
    "uma_protection"
  ],
  "token_type": "Bearer",
  "exp": 1691762108,
  "iat": 1691591222,
  "client_id": "6ea5a2cc-2ead-4200-aa7c-56bb6233ad96",
  "username": "V1"
}

2 replies

yuriyz Aug 9, 2023
Maintainer

Please check subject identifier doc here: https://github.com/JanssenProject/jans/blob/169f060debc9eecf03ec6edfe06d446138d496d4/docs/admin/auth-server/openid-features/subject-identifiers.md

And here is link to actual implementation so you will see exactly how value is calculated.

jans/jans-auth-server/server/src/main/java/io/jans/as/server/service/SectorIdentifierService.java

Line 101 in 6c1caa1

public String getSub(Client client, User user, boolean isCibaGrant) {

siedlejo Aug 9, 2023
Author

Oh my bad. Thanks a lot!

siedlejo · 2023-08-09T15:32:20Z

siedlejo
Aug 9, 2023
Author

@yuriyz One last question: I want to include the 'sub' claim in the RPT as well. I have found the option to add an "UMA RPT Claims" script but I cannot find any documentation about how this script should look like. I have also seen the field 'RPT Modification Script' in the client settings under 'CIBA/PAT/UMA/' (in TUI). I guess this can be used to reference the RPT Modification Script. Can you tell me if there is any documentation or examples about how to do add the sub claim to the resulting RPT

12 replies

siedlejo Aug 10, 2023
Author

The creation of the RPT works as expected. I am passing an id token and receive a RPT incljuding the correct sub claim. One xample would be the following: eyJraWQiOiJjb25uZWN0X2M0MjdlOTUwLThhNmItNDcxYy05MjZmLWQ2ZmIyNGFiMzY0M19zaWdfcnMyNTYiLCJ0eXAiOiJqd3QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI2ZWE1YTJjYy0yZWFkLTQyMDAtYWE3Yy01NmJiNjIzM2FkOTYiLCJzdWIiOiJWMSIsInBjdF9jbGFpbXMiOnsic2NvcGUiOlsidW1hX3Byb3RlY3Rpb24iXSwiZXhwIjoxNjkxNzY5Mjg4LCJpYXQiOjE2OTE2NTc2NjV9LCJwZXJtaXNzaW9ucyI6W3sicmVzb3VyY2Vfc2NvcGVzIjpbImFwcHJvdmUiXSwicmVzb3VyY2VfaWQiOiJlZTVkMGMyOS1mZTRiLTRiNmMtYWIyNy05NjdkYjY3MjMwZWEiLCJleHAiOjE2OTE2NjE1ODEsInBhcmFtcyI6bnVsbH1dLCJpc3MiOiJodHRwczovL2dsdXUiLCJleHAiOjE2OTE2NjM5MjQsImlhdCI6MTY5MTY2MDMyNCwiY2xpZW50X2lkIjoiNmVhNWEyY2MtMmVhZC00MjAwLWFhN2MtNTZiYjYyMzNhZDk2In0.UDJ4rdtNhxA0XyrjVZ0GywcvsrZ1Wplxojx10hku-n5aTEaXm1BU7_g0-dmCMrd_6wa9c2CK9RIyV8GyxC4yxGUAMluVym766L7qT7rYNwIiGzSmsTS8jk8Dti1o4307vd5R91qkAENo2HxE04iJJFrfodSlc743vFK7I39K4A2Lsar4aYt0E8KJN-yo-_TB7twI6sQWFs6dr4_NQFJzKU2VazoQ_wfRjdzk8JZRETJzkylmOtb03XE7R31KvG1clW5aniBfAAq9axjtVndhXBd584FaQnsqV1kFrQiZV5yOU0yBDWaGbmWLfPYR6P2eo4hAu9vForZxwikY6qg07Q

The issue I am having is that the introspection endpoint (/rpt/status) doesn't return the given sub. Therefore I tried to get the sub claim via the passed token parameter. You can see my script here:

def modify(self, rptAsJsonObject, context):
        token = context.getHttpRequest().getParameter("claim_token")
        
        // this is the case when using the introspection endpoint
        if token is None:
            token = context.getHttpRequest().getParameter("token") // returns the RPT as expected
            authorizationGrantList = CdiUtil.bean(AuthorizationGrantList)
            authorizationGrant = authorizationGrantList.getAuthorizationGrantByAccessToken(token); // returns null
            if authorizationGrant is None:
                rptAsJsonObject.accumulate("sub", authorizationGrant.getSub())
                return True
        
        // this works for the token endpoint
        else:
            authorizationGrantList = CdiUtil.bean(AuthorizationGrantList)
            authorizationGrant = authorizationGrantList.getAuthorizationGrantByAccessToken(token);
            if authorizationGrant is not None:
                rptAsJsonObject.accumulate("sub", authorizationGrant.getUser().getUserId())
                return True

        return False

yuriyz Aug 10, 2023
Maintainer

I guess I'm not following. Above you have RPT as JWT, why would you need introspection ?
If you want simply translate JWT over introspection than pseudo code would be:

var rptAsJwt = context.getHttpRequest().getParameter("token");
rptAsJsonObject.accumulate("sub", Jwt.parseSilently(rptAsJwt).getClaims().getClaimAsString("sub"))

siedlejo Aug 10, 2023
Author

Because in the end I want to use reference based RPTs. I'm just using jwt tokens for now because it is easier to debug

siedlejo Aug 11, 2023
Author

What I am missing at this point is basically a method I can use to tansform the reference based RPT to a JWT token in the RPT Claims script

yuriyz Aug 11, 2023
Maintainer

Simply fetch full UmaRPT object and construct JWT.

io.jans.as.server.uma.service.UmaRptService#getRPTByCode

var rptService = CdiUtil.bean(UmaRptService)
var rptObject = rptService.getRPTByCode(rptReference)

jans/jans-auth-server/server/src/main/java/io/jans/as/server/uma/service/UmaRptService.java

Line 126 in 6c1caa1

public UmaRPT getRPTByCode(String rptCode) {

Here you can see how AS constructs RPT JWT:

jans/jans-auth-server/server/src/main/java/io/jans/as/server/uma/service/UmaRptService.java

Line 238 in 6c1caa1

    
           private String createRptJwt(ExecutionContext executionContext, List<UmaPermission> permissions, Date creationDate, Date expirationDate) throws Exception {

nynymike · 2023-08-10T02:46:35Z

nynymike
Aug 10, 2023
Maintainer

UMA does not have a ton of adoption. I'd be curious to hear the use case. Or is this just academic?

1 reply

siedlejo Aug 10, 2023
Author

Is it for academic purposes indeed. I am looking into protocols which natively support user based access control via access tokens.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Include multiple permissions in one RPT #5809

{{title}}

Replies: 5 comments 18 replies

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Include multiple permissions in one RPT #5809

siedlejo Aug 9, 2023

Replies: 5 comments · 18 replies

ossdhaval Aug 9, 2023 Maintainer

yuriyz Aug 9, 2023 Maintainer

siedlejo Aug 9, 2023 Author

yuriyz Aug 9, 2023 Maintainer

siedlejo Aug 9, 2023 Author

siedlejo Aug 9, 2023 Author

yuriyz Aug 9, 2023 Maintainer

siedlejo Aug 9, 2023 Author

siedlejo Aug 9, 2023 Author

siedlejo Aug 10, 2023 Author

yuriyz Aug 10, 2023 Maintainer

siedlejo Aug 10, 2023 Author

siedlejo Aug 11, 2023 Author

yuriyz Aug 11, 2023 Maintainer

nynymike Aug 10, 2023 Maintainer

siedlejo Aug 10, 2023 Author

siedlejo
Aug 9, 2023

Replies: 5 comments 18 replies

ossdhaval
Aug 9, 2023
Maintainer

yuriyz
Aug 9, 2023
Maintainer

siedlejo Aug 9, 2023
Author

yuriyz Aug 9, 2023
Maintainer

siedlejo Aug 9, 2023
Author

siedlejo
Aug 9, 2023
Author

yuriyz Aug 9, 2023
Maintainer

siedlejo Aug 9, 2023
Author

siedlejo
Aug 9, 2023
Author

siedlejo Aug 10, 2023
Author

yuriyz Aug 10, 2023
Maintainer

siedlejo Aug 10, 2023
Author

siedlejo Aug 11, 2023
Author

yuriyz Aug 11, 2023
Maintainer

nynymike
Aug 10, 2023
Maintainer

siedlejo Aug 10, 2023
Author