Use Directus JWT to login without hostname #3921

macntech · 2022-10-26T07:06:15Z

macntech
Oct 26, 2022

Hello,

we issue a JWT token in a 3rd party application (our central user management platform - Directus). This JWT includes an id field with the User ID. I configured ejabberd to use this id as jid during JWT auth procedure. This is working fine for manual JWT tokens that I created via jwt.io.

However, the real payload of our JWT issued in the user platform is following:

{
  "id": "longuseridstring",
  "role": "rolestring",
  "app_access": true,
  "admin_access": false,
  "iat": 1666725952,
  "exp": 1666726852,
  "iss": "directus"
}

So basically the user identifier has (obviously) not hostname attached. Unfortunately there is no way to change the payload issued by Directus. What ejabberd expects is:

{
  "id": "longuseridstring@hostname"
}

and longuseridstring@hostname in the login form.

Question:
Is there a way, that I can use only longuseridstring (without hostname) to auth the user against the ejabberd server? So basically tell the server that there is only one host and that should be used per default for every request without specifying the hostname?

We use websocket and javascript to login the user from frontend.

ejabberd version 22.5.0

Thanks for your support!

Answered by badlop

Oct 26, 2022

I can think a very simple and which patch would be something like this. But, as it doesn't check the server, it would allow this token to be used to login to username "longuseridstring" in any of the local hosts:

diff --git a/src/ejabberd_auth_jwt.erl b/src/ejabberd_auth_jwt.erl
index d1fe4d15a..1c93d3410 100644
--- a/src/ejabberd_auth_jwt.erl
+++ b/src/ejabberd_auth_jwt.erl
@@ -106,7 +106,11 @@ check_decoded_jwt(true, Fields, _Signature, Server, User) ->
         {ok, SJid} when is_binary(SJid) ->
             try
                 JID = jid:decode(SJid),
-                JID#jid.luser == User andalso JID#jid.lserver == Server
+                case {JID#jid.luser, JID#jid.lserver} of
+   …

View full answer

badlop · 2022-10-26T10:51:12Z

badlop
Oct 26, 2022
Maintainer

I can think a very simple and which patch would be something like this. But, as it doesn't check the server, it would allow this token to be used to login to username "longuseridstring" in any of the local hosts:

diff --git a/src/ejabberd_auth_jwt.erl b/src/ejabberd_auth_jwt.erl
index d1fe4d15a..1c93d3410 100644
--- a/src/ejabberd_auth_jwt.erl
+++ b/src/ejabberd_auth_jwt.erl
@@ -106,7 +106,11 @@ check_decoded_jwt(true, Fields, _Signature, Server, User) ->
         {ok, SJid} when is_binary(SJid) ->
             try
                 JID = jid:decode(SJid),
-                JID#jid.luser == User andalso JID#jid.lserver == Server
+                case {JID#jid.luser, JID#jid.lserver} of
+                    {User, Server} -> true; % jid = user@server
+                    {<<"">>, User} -> true; % jid =      user
+                    _ -> false
+                end
             catch error:{bad_jid, _} ->
                 false
             end;

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Use Directus JWT to login without hostname #3921

{{title}}

Replies: 1 comment

{{title}}

Select a reply

Use Directus JWT to login without hostname #3921

macntech Oct 26, 2022

Replies: 1 comment

badlop Oct 26, 2022 Maintainer

macntech
Oct 26, 2022

badlop
Oct 26, 2022
Maintainer