Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Unconsumed parameter exception when authenticating with jwtUrlParameter #3977

Closed
cwperks opened this issue Jan 23, 2024 · 2 comments
Closed

[BUG] Unconsumed parameter exception when authenticating with jwtUrlParameter #3977

cwperks opened this issue Jan 23, 2024 · 2 comments
Labels
bug Something isn't working triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.

Comments

@cwperks
Copy link
Member

cwperks commented Jan 23, 2024

What is the bug?

Discovered this bug when analyzing #3949. There is a regression in authentication with the jwtUrlParameter where it fails to consume the parameter and response with illegal_argument_exception: contains unrecognized parameter:

Suite: Test class org.opensearch.security.http.JwtAuthenticationTests
  2> java.lang.AssertionError: Expected status code is '200', but was '400'. Response body '{"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"request [/_opendistro/_security/authinfo] contains unrecognized parameter: [token]"}],"type":"illegal_argument_exception","reason":"request [/_opendistro/_security/authinfo] contains unrecognized parameter: [token]"},"status":400}'.
    Expected: <200>
         but: was <400>
        at __randomizedtesting.SeedInfo.seed([100EFB1C515D00AA:4401D6965CA5081E]:0)
        at org.hamcrest.MatcherAssert.assertThat(MatcherAssert.java:20)
        at org.opensearch.test.framework.cluster.TestRestClient$HttpResponse.assertStatusCode(TestRestClient.java:422)
        at org.opensearch.security.http.JwtAuthenticationTests.shouldAuthenticateWithJwtTokenInUrl_positive(JwtAuthenticationTests.java:163)

How can one reproduce the bug?

Set up and enable a JWT auth domain with the jwt_url_parameter set. Make any request with a valid token.

What is the expected behavior?

The jwt auth domain should successfully authenticate when jwt_url_parameter is supplied with a valid token.

Do you have any additional context?

The regression was introduced with the HeaderVerifier changes where the HTTP Authenticators are dealing with a lower-level request object than the SecurityRestFilter is where authc was previously being performed. The parameters must be consumed on the RestRequest and not the lower level NettyRequest which is used in the HeaderVerifier.
@cwperks cwperks added bug Something isn't working untriaged Require the attention of the repository maintainers and may need to be prioritized labels Jan 23, 2024
@cwperks cwperks mentioned this issue Jan 23, 2024
Merged
3 tasks
@cwperks cwperks changed the title [BUG] Unconsumed parameter exception when authentication with jwtUrlParameter [BUG] Unconsumed parameter exception when authenticating with jwtUrlParameter Jan 23, 2024
@stephen-crawford
Copy link
Collaborator

[Triage] Hi @cwperks thanks for filing this issue. This looks like a good fix to correct the regression.

@stephen-crawford stephen-crawford added triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. and removed untriaged Require the attention of the repository maintainers and may need to be prioritized labels Jan 29, 2024
@cwperks
Copy link
Member Author

cwperks commented Feb 22, 2024

#3975 is now merged. Closing this issue.

@cwperks cwperks closed this as completed Feb 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cwperks @stephen-crawford