Roles/Permissions not returned from Authenticate but included in JWT

specimen151 · January 26, 2024, 9:50am

I’m using the basic CredentialsAuthProvider:

            appHost.Plugins.Add(new AuthFeature(() => new CustomUserSession(),
                new IAuthProvider[] {
                    new CredentialsAuthProvider(appSettings),     
                    new JwtAuthProvider(appSettings) {
                        RequireSecureConnection=false,
                        AuthKey = AesUtils.CreateKey(),
                        UseTokenCookie = false     
                    },
   
                })
            {
                IncludeDefaultLogin = false, IncludeRolesInAuthenticateResponse = true
            });

The CustomUserSession is for future:

public class CustomUserSession : AuthUserSession
{
}

However I have a custom auth repo:

public class ArangoDbAuthRepository : IUserAuthRepositoryAsync, IClearable, IManageRolesAsync, IManageRoles

for which I have implemented the interfaces.
The IManageRoles was added later as a part of debugging, but haven’t changed anything (for better or worse),

This is setup like normal in the Configure.AuthRepository file:

services.AddSingleton<IAuthRepositoryAsync>(userRepo);
services.AddSingleton<IManageRolesAsync>(userRepo);     // for CredentialsAuthProvider to fetch roles from here (inspeced the source)

The strange thing is that in the response from Authenticate, the JWT does contain the roles. So my Auth Repo must be fetching these.

But the session does not have them, and neither does the response body.

mythz · January 26, 2024, 10:18am

The session will only have them if they’re blobbed with the user (i.e. not using IManageRolesAsync), otherwise they can be fetched with:

var roles = await session.GetRolesAsync(AuthRepositoryAsync);

However they should be returned in AuthenticateResponse unless IncludeRolesInAuthenticateResponse=false (it’s enabled by default).

The other requirement is that session.UserAuthId contains the user Id.

Otherwise I’m not sure why it’s not being returned in AuthenticateResponse, I’d recommend debugging AuthenticateService and putting a breakpoint on:

github.com

ServiceStack/ServiceStack/blob/ed86959f851e2d7bafde3f78d69d24c04c60aa1c/ServiceStack/src/ServiceStack/Auth/AuthenticateService.cs#L330


      
                            ?? session.UserName 
                            ?? $"{session.FirstName} {session.LastName}".Trim(),
              SessionId = session.Id,
              ReferrerUrl = referrerUrl,
          };
          
          if (response is AuthenticateResponse authResponse)
          {
              authResponse.ProfileUrl ??= session.GetProfileUrl();
          
              if (session.UserAuthId != null && authFeature != null)
              {
                  if (authFeature.IncludeRolesInAuthenticateResponse)
                  {
                      var authSession = authFeature.AuthSecretSession;
                      if (authSession != null && session.UserAuthName == authSession.UserAuthName && session.UserAuthId == authSession.UserAuthId)
                      {
                          authResponse.Roles = session.Roles;
                          authResponse.Permissions = session.Permissions;
                      }

specimen151 · January 26, 2024, 10:47am

Thanks, I’m 100% sure I’ve got a bug somewhere.

Are you saying that I should only need to implement IAuthRepository, and not IManageRoles?

mythz · January 26, 2024, 10:55am

If the roles are blobbed with the User than you shouldn’t implement IManageRoles/Async in your custom Auth Provider, it’s only required if you want to manage User Roles in a separate table.

specimen151 · January 26, 2024, 11:06am

Thanks, it seems to be working now. I think I had an error with the Id in the UserAuth table. The Id for the first user was 0 which seems to not be allowed.