auth0-使用' express-oauth2-jwt-bearer' express.js中的范围错误不足包裹
我打算在我的Express.js Backend API上创建一个私有式端点,以检查一些自定义权限。我正在使用“ express-oauth2-jwt-bearer”中使用rbac(基于角色的访问控制)( https://www.npmjs.com/package/package/express-oauth2-jwt-bearer )包。当我尝试访问该端点时,我会不断出现范围错误。
表达代码,
const express = require('express');
const app = express();
const { auth, requiredScopes } = require('express-oauth2-jwt-bearer');
const checkJwt = auth();
const requiredScopes = requiredScopes("getAll:student", { customScopeKey: "permissions" });
app.get(
"/student/getAll",
checkJwt,
requiredScopes,
res.json({
message: 'Here is the all Student detail list'
});
);
解码的JSON Web令牌详细信息, [1]: https://i.sstatic.net/etzfu.jpg
{
"iss": "https://*************.us.auth0.com/",
"sub": "auth0|******************",
"aud": [
"http://*************",
"https://*************.us.auth0.com/userinfo"
],
"iat": 1657083984,
"exp": 1657170384,
"azp": "***********************",
"scope": "openid profile email",
"permissions": [
"delete:student",
"getAll:student",
"search:student",
"update:student"
]
}
但是如果我使用const requientscopes = requiresScopes(“ OpenID配置文件”,{customScopekey:“ Permissions” });而不是const requientscopes = requiresScopes(“ getall:student”,{custicScopeKey:“ permissions”});它可以使用。我认为问题是权限不是针对自定义范围键的检查,而是使用默认范围键。任何人都可以帮助修复它吗?
I was going to create a private-scoped endpoint on my Express.js backend API to check some custom permissions. I'm using RBAC (Role-Based Access Control) in auth0 with the 'express-oauth2-jwt-bearer' (https://www.npmjs.com/package/express-oauth2-jwt-bearer) package. I constantly get an Insufficient Scope Error when I try to access that endpoint.
Express Code,
const express = require('express');
const app = express();
const { auth, requiredScopes } = require('express-oauth2-jwt-bearer');
const checkJwt = auth();
const requiredScopes = requiredScopes("getAll:student", { customScopeKey: "permissions" });
app.get(
"/student/getAll",
checkJwt,
requiredScopes,
res.json({
message: 'Here is the all Student detail list'
});
);
Decoded JSON web token details,
[1]: https://i.sstatic.net/EtZfU.jpg
{
"iss": "https://*************.us.auth0.com/",
"sub": "auth0|******************",
"aud": [
"http://*************",
"https://*************.us.auth0.com/userinfo"
],
"iat": 1657083984,
"exp": 1657170384,
"azp": "***********************",
"scope": "openid profile email",
"permissions": [
"delete:student",
"getAll:student",
"search:student",
"update:student"
]
}
But if I use const requiredScopes = requiredScopes("openid profile email", { customScopeKey: "permissions" }); instead of const requiredScopes = requiredScopes("getAll:student", { customScopeKey: "permissions" }); it works. I think the problem is permissions are not check against custom scope key but with default scope key. Anyone can help to fix it ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
我遇到了同样的问题 - 看来
必需的scopes被打破了。相反,我所做的是从同一库中使用sipercheck:I'm having the same issue - it seems that
requiredScopesis broken. What I did instead was useclaimCheckfrom the same library:您需要在令牌范围“范围”中添加“ getall:student”
:“ openID个人资料电子邮件getall:student”
You need to add "getAll:student" into the token scope
"scope": "openid profile email getAll:student"
这个答案也适用于其他试图使用图书馆的人,
似乎必需的scope只能检查您的令牌上的“范围”主张。它似乎没有替代来更改此
操作答案就像Ben Jiron的答案。我还认为他对这个问题也有适当的答案,用户将他的主张放置在权限索赔内部。
This answer is also for other people trying to use the library
it appears that requiredScope will only check the "scope" claim on your tokens. It does not appear to have an override to change this so if you are using a different Identity provider you will either need to change your token to conform to what this library expects
My identity provider puts the scope claims on the "scp" property so my answer is like Ben Jiron answer. I also think he has the proper answer to this problem too where the user is placing his claims to check inside the permissions claim.