Claims path config doesn't seem to pick up required claims

[ecthiender]

Component

Graphql Engine

What is the current behaviour?

Having an AuthConfig with claims map path config, and then having a corresponding JWT with the correct claims in the correct, still returns a missing session variable error.

What is the expected behaviour?

v3-engine should pick the claims from the path.

How to reproduce the issue?

1. AuthConfig

kind: AuthConfig
version: v1
definition:
  mode:
    jwt:
      key:
        fixed:
          algorithm: RS256
          key:
            value: "public-key"
      tokenLocation:
        type: BearerAuthorization
      claimsConfig:
        locations:
          x-hasura-allowed-roles:
            literal: [user]
          x-hasura-user-id:
            path:
              path: /session/identity/id
              default: f4bbb346-1945-4f94-bc48-d9263c774925
          x-hasura-default-role:
            literal: user

2. Decoded JWT

{
  "exp": 1715668277,
  "iat": 1715667677,
  "iss": "https://cool-brattain-2gi36eexd9.projects.oryapis.com//additional-component",
  "jti": "4ea7a834-f0fb-45ba-a334-db872bab3d45",
  "nbf": 1715667677,
  "schema_id": "preset://username",
  "session": {
    "active": true,
    "authenticated_at": "2024-05-13T14:06:10.124313Z",
    "authentication_methods": [
      {
        "aal": "aal1",
        "completed_at": "2024-05-13T14:06:10.124303851Z",
        "method": "password"
      }
    ],
    "authenticator_assurance_level": "aal1",
    "expires_at": "2024-05-16T14:06:10.124313Z",
    "id": "c4c625c1-5375-4c96-8d7f-b10276d9f67e",
    "identity": {
      "created_at": "2024-05-10T10:21:40.850286Z",
      "id": "f4bbb346-1945-4f94-bc48-d9263c774925",
      "metadata_public": null,
      "organization_id": null,
      "schema_id": "preset://username",
      "schema_url": "https://cool-brattain-2gi36eexd9.projects.oryapis.com/schemas/cHJlc2V0Oi8vdXNlcm5hbWU",
      "state": "active",
      "state_changed_at": "2024-05-10T10:21:40.847652Z",
      "traits": {
        "username": "test"
      },
      "updated_at": "2024-05-10T10:21:40.850286Z"
    },
    "issued_at": "2024-05-13T14:06:10.124313Z"
  },
  "sid": "c4c625c1-5375-4c96-8d7f-b10276d9f67e",
  "sub": "f4bbb346-1945-4f94-bc48-d9263c774925"
}

Returns an error -

Required session variable not found in the request: x-hasura-user-id

Reported on Discord: https://discord.com/channels/407792526867693568/1238496225947549799/1238496225947549799

Screenshots or Screencast

Please provide any traces or logs that could help here.

Any possible solutions/workarounds you're aware of?

Keywords

[ecthiender]

I'm unable to reproduce the issue.

Auth config I used -

kind: AuthConfig
version: v1
definition:
  mode:
    jwt:
      key:
        fixed:
          algorithm: HS256
          key:
            value: token
      tokenLocation:
        type: BearerAuthorization
      claimsConfig:
        locations:
          x-hasura-allowed-roles:
            literal:
              - user_1
          x-hasura-user-id:
            path:
              path: /session/identity/id
              default: '1'
          x-hasura-default-role:
            literal: user_1

JWT token I used - https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE4MTU2NjgyNzcsImlhdCI6MTcxNTY2NzY3NywiaXNzIjoiaHR0cHM6Ly9jb29sLWJyYXR0YWluLTJnaTM2ZWV4ZDkucHJvamVjdHMub3J5YXBpcy5jb20vL2FkZGl0aW9uYWwtY29tcG9uZW50IiwianRpIjoiNGVhN2E4MzQtZjBmYi00NWJhLWEzMzQtZGI4NzJiYWIzZDQ1IiwibmJmIjoxNzE1NjY3Njc3LCJzY2hlbWFfaWQiOiJwcmVzZXQ6Ly91c2VybmFtZSIsInNlc3Npb24iOnsiYWN0aXZlIjp0cnVlLCJhdXRoZW50aWNhdGVkX2F0IjoiMjAyNC0wNS0xM1QxNDowNjoxMC4xMjQzMTNaIiwiYXV0aGVudGljYXRpb25fbWV0aG9kcyI6W3siYWFsIjoiYWFsMSIsImNvbXBsZXRlZF9hdCI6IjIwMjQtMDUtMTNUMTQ6MDY6MTAuMTI0MzAzODUxWiIsIm1ldGhvZCI6InBhc3N3b3JkIn1dLCJhdXRoZW50aWNhdG9yX2Fzc3VyYW5jZV9sZXZlbCI6ImFhbDEiLCJleHBpcmVzX2F0IjoiMjAyNC0wNS0xNlQxNDowNjoxMC4xMjQzMTNaIiwiaWQiOiJjNGM2MjVjMS01Mzc1LTRjOTYtOGQ3Zi1iMTAyNzZkOWY2N2UiLCJpZGVudGl0eSI6eyJjcmVhdGVkX2F0IjoiMjAyNC0wNS0xMFQxMDoyMTo0MC44NTAyODZaIiwiaWQiOiIxIiwibWV0YWRhdGFfcHVibGljIjpudWxsLCJvcmdhbml6YXRpb25faWQiOm51bGwsInNjaGVtYV9pZCI6InByZXNldDovL3VzZXJuYW1lIiwic2NoZW1hX3VybCI6Imh0dHBzOi8vY29vbC1icmF0dGFpbi0yZ2kzNmVleGQ5LnByb2plY3RzLm9yeWFwaXMuY29tL3NjaGVtYXMvY0hKbGMyVjBPaTh2ZFhObGNtNWhiV1UiLCJzdGF0ZSI6ImFjdGl2ZSIsInN0YXRlX2NoYW5nZWRfYXQiOiIyMDI0LTA1LTEwVDEwOjIxOjQwLjg0NzY1MloiLCJ0cmFpdHMiOnsidXNlcm5hbWUiOiJ0ZXN0In0sInVwZGF0ZWRfYXQiOiIyMDI0LTA1LTEwVDEwOjIxOjQwLjg1MDI4NloifSwiaXNzdWVkX2F0IjoiMjAyNC0wNS0xM1QxNDowNjoxMC4xMjQzMTNaIn0sInNpZCI6ImM0YzYyNWMxLTUzNzUtNGM5Ni04ZDdmLWIxMDI3NmQ5ZjY3ZSIsInN1YiI6ImY0YmJiMzQ2LTE5NDUtNGY5NC1iYzQ4LWQ5MjYzYzc3NDkyNSJ9.p69VnkMPlnTRfsl72YwEIPF38x2XnXvp4Sr-MP8l5ko

Note: I changed the algorithm from RS256 to HS256 for convenience during debugging. Changed the role name from user to user_1, and changed user id from a UUID to integer. Rest everything is same from the examples shared earlier.

The metadata I used is from https://github.com/hasura/graphql-engine/blob/master/v3/crates/engine/tests/schema.json . The interesting part of the metadata is the permission with x-hasura-user-id, which is here.

Then the query I executed is -

query MyQuery {
  ArticleMany {
    article_id
    author_id
  }
}

with the JWT in Authorization header.

And I'm getting the expected response. I do not get any error.

---

A reproduction with the minimal metadata, auth config, JWT token and the query would be helpful. You can include the hasura project folder, or invite me as a collaborator to the project, if that is more convenient.

[ecthiender]

Closing this as there's no response. Feel free to comment or re-open if this still affects you.