Complex JWT placeholder subject mapping - Keycloak RPT integration

[pedro-nicolau-carvalho]

Hello,

I am currently integrating Keycloak with Eclipse Ditto. Since granting user permissions is done elsewhere from ditto, my idea is to map specific resources and scopes as subjects in Ditto and use a user's RPT token as the input of this mapping. The RPT token, granted by keycloak, is a JWT token that contains some user's permissions. The structure is as follows:

{
  "authorization": {
      "permissions": [
        {
          "scopes": [ "device.read" ],
          "resource_set_id": "d2fe9843-6462-4bfc-baba-b5787bb6e0e7",
          "resource_set_name": "Device 1"
        },
        {
          "scopes": [ "device.read", "device.write" ],
          "resource_set_id": "d2fe9843-6462-4bfc-baba-b5787bb6e0e7",
          "resource_set_name": "Device 12
        }
      ]
  },
  "jti": "d6109a09-78fd-4998-bf89-95730dfd0892-1464906679405",
  "exp": 1464906971,
  "nbf": 0,
  "iat": 1464906671,
  "sub": "f1888f4d-5172-4359-be0c-af338505d86c",
  "typ": "kc_ett",
  "azp": "hello-world-authz-service"
}

my idea is to then, from this RPT, generate subjects:

• d2fe9843-6462-4bfc-baba-b5787bb6e0e7#device.read
• d2fe9843-6462-4bfc-baba-b5787bb6e0e7#device.read
• d2fe9843-6462-4bfc-baba-b5787bb6e0e7#device.write.
  With these subjects, a policy for a thing would include these subjects in the appropriate place (e.g. subject d2fe9843-6462-4bfc-baba-b5787bb6e0e7#device.read would be granted permission to read thing d2fe9843-6462-4bfc-baba-b5787bb6e0e7).

I have tried using jwt placeholders to convert the JWT token to the format I require, but I am not sure if it is possible. It seems that the supported json operations are very limited. For example, using the token structure above:

• JSON pointer indexing does not work (example: authorization/permissions/0)
• Can't do operations in nested objects. To reach something like resource_set_id#scope, I would have to do something like {{ jwt:authorization/permissions | join(resource_set_id, scopes, '#') }} (join function is merely ilustrative). The issue here is everything to the output of jwt:claim is acted on as a string and not as objects themselves.

Am I correct in assuming that the mapping I want is not currently possible using placeholders?

Thank you.

[thjaeckle]

Hi @pedro-nicolau-carvalho

The JWT placeholder is quite mighty:
https://eclipse.dev/ditto/basic-placeholders.html#scope-openid-connect-configuration

It e.g. has a special handling for JSON arrays (and even JSON objects in arrays) - iterating over all entries and "multiplying" the result.

However, it seems we did not consider yet the "array in array" use case.
It also seems that only arrays in "root level" are currently supported .. I would say this is a bug, that should work also in nested structures.
I will create a ticket for that and can provide a fix.

What you however want to achieve is not yet supported, I fear .. selecting and combining fields only "on the same level".
But that is a very valid and useful use case. 👍
We could track that as new issue, I am open for suggestions regarding syntax (probably a function as you suggested would be needed).

[pedro-nicolau-carvalho]

It e.g. has a special handling for JSON arrays (and even JSON objects in arrays) - iterating over all entries and "multiplying" the result.

Is it currently possible to extract a property from a nested JSON object in an array without parsing the JSON object as a string? For example, using the structure from the RPT, is it possible to extract the resource_set_idas the authorization subjects? I have tried using {{ jwt:authorization/permissions/resource_set_id }} and {{ jwt:authorization/permissions/0/resource_set_id }} but without luck

[thjaeckle]

As mentioned: It should be possible .. however it currently only seems to work if the array is directly at the "first level" of the JSON, see created bug issue #1985

For example, using the structure from the RPT, is it possible to extract the resource_set_idas the authorization subjects? I have tried using {{ jwt:authorization/permissions/resource_set_id }} and {{ jwt:authorization/permissions/0/resource_set_id }} but without luck

Yes, that unfortunately is affected by the bug :/

{{ jwt:authorization/permissions/resource_set_id }} should work that way ..
Using the array-index is not supported ..

[thjaeckle]

With the recently released Ditto 3.6.0 the Bugfix regarding JWT claim parsing in arrays of objects was resolved.

Closing this question..

[malavikaiplon]

Hello,

Currently i am facing issue with integrating keycloak with eclipse ditto(3.6.1) installed using docker-compose file i followed the steps given official documentation like below

1. i have added the keycloak issuer url
   

2. After up all the services i tried to create a ditto policy with below json with bearer token generated from the issuer of given sub
   {
   "policyId": "my.test:policy",
   "entries": {
   "owner": {
   "subjects": {
   "keycloak:93948f84-1427-4bd3-a4d0-93cd53a08b73": {
   "type": "keycloak user"
   }
   },
   "resources": {
   "thing:/": {
   "grant": ["READ","WRITE"],
   "revoke": []
   },
   "policy:/": {
   "grant": ["READ","WRITE"],
   "revoke": []
   },
   "message:/": {
   "grant": ["READ","WRITE"],
   "revoke": []
   }
   }
   },

    "observer": {
        "subjects": {
            "keycloak:93948f84-1427-4bd3-a4d0-93cd53a08b73": {
                "type": "keycloak user"
            }
        },
        "resources": {
            "thing:/": {
                "grant": ["READ"],
                "revoke": []
            },
            "policy:/": {
                "grant": ["READ"],
                "revoke": []
            },
            "message:/": {
                "grant": ["READ"],
                "revoke": []
            }
        }
    }
   

   }
   }
   but i couldn't create the policy getting the below mention error {
   "status": 403,
   "error": "policies:policy.notcreatable",
   "message": "The Policy with ID 'my.test:policy' could not be created as the requester had insufficient permissions.",
   "description": "Check if you have sufficient permissions in the new policy to create."
   }

please can anyone help me in this ?? Thanks in Advance

[thjaeckle]

@malavikaiplon which auth subjects does the user have with which you call the policies API?
You can check by invoking the API:

GET /api/2/whoami

[malavikaiplon]

Hi @thjaeckle
/api/2/whoami this giving below results {
"defaultSubject": "nginx:",
"subjects": [
"nginx:"
]
} i also have doubt like why does the gateway service log not giving any connection logs of my OIDC issuer (keycloak) after i configure it in gateway.conf , i am not sure where i am missing

[thjaeckle]

You seem to still have pre-authentication (https://eclipse.dev/ditto/installation-operating.html#pre-authentication) enabled - but your nginx does not authenticate a user.

[malavikaiplon]

Hi @thjaeckle ,

after i disabled the preauthentication i am getting the following error message from /api/2/whoami {
"status": 401,
"error": "gateway:jwt.issuer.notsupported",
"message": "The JWT issuer 'http://keycloak-test.test.co.in/auth/realms/master' is not supported.",
"description": "Check if your JWT is correct."
} gateway log also showing
2025-01-16 05:40:25,466 INFO [][] o.e.d.g.s.s.a.j.DittoPublicKeyProvider - The JWT issuer http://keycloak-test.test.co.in/auth/realms/master is not included in Ditto's gateway configuration at 'ditto.gateway.authentication.oauth.openid-connect-issuers', supported are: <JwtSubjectIssuersConfig[protocolPrefix=https://, subjectIssuerConfigMap={accounts.google.com=JwtSubjectIssuerConfig [subjectIssuer=google, issuers=[accounts.google.com], authSubjectTemplates=[{{jwt:sub}}]], https://accounts.google.com=JwtSubjectIssuerConfig [subjectIssuer=google, issuers=[accounts.google.com], authSubjectTemplates=[{{jwt:sub}}]]}]>
Here is my configuration

do i need to configure anything else ??

[thjaeckle]

Please share how you apply your configuation.
As a mount in the container?
As environment variables?

[malavikaiplon]

hi @thjaeckle ,

here is my docker-compose.yaml gateway service configuration
gateway:
image: docker.io/eclipse/ditto-gateway:${DITTO_VERSION:-latest}
mem_limit: 512m
restart: always
networks:
default:
aliases:
- ditto-cluster
depends_on:
- policies
ports:
- "8081:8080"
environment:
- TZ=Europe/Berlin
- INSTANCE_INDEX=1
- BIND_HOSTNAME=0.0.0.0
- ENABLE_PRE_AUTHENTICATION=false
- ENABLE_DUMMY_AUTH=true
- OPENJ9_JAVA_OPTIONS=-XX:+ExitOnOutOfMemoryError -Xtune:virtualized -Xss512k -XX:MaxRAMPercentage=80 -Dakka.coordinated-shutdown.exit-jvm=on -Dakka.cluster.shutdown-after-unsuccessful-join-seed-nodes=120s
command: java -Dditto.gateway.authentication.devops.password=foobar -Dditto.gateway.authentication.oauth.protocol=http -Dditto.gateway.authentication.oauth.openid-connect-issuers.keycloak=keycloak-test.test.co.in/auth/realms/master -jar starter.jar

i followed this #876 but i couldn't up the gateway services with this configuration. it keep restarting gateway service and getting this error from gateway log
Error: Unable to access jarfile starter.jar
Error: Unable to access jarfile starter.jar
Error: Unable to access jarfile starter.jar

[thjaeckle]

-Dditto.gateway.authentication.oauth.openid-connect-issuers.keycloak=keycloak-test.test.co.in/auth/realms/master

This is wrong.
As documented this needs to be:

-Dditto.gateway.authentication.oauth.openid-connect-issuers.keycloak.issuer=keycloak-test.test.co.in/auth/realms/master