Auth0 Identity Value Not Fetching Inside Identity Field

[JVaghela-Fintech]

I'm having trouble fetching the Auth0 identity value inside the zilla:identity field. Despite explicitly configuring identity: sub in the JWT guard settings, the identity value is not being populated.

Steps to Reproduce:

• Configure Auth0 application with HTTP authentication enabled

• Set issuer and audience from Auth0:

issuer: auth0 issuer
audience: auth0 audience

• Attempt to fetch the identity using:

zilla:identity: ${guarded['lsauthgaurd'].identity}

Configuration:

name: ZillaProxy
vaults: {}
guards:
  lsauthgaurd:
    type: jwt
    options:
      issuer: auth0 issuer
      audience: auth0 audience
      challenge: 30
      identity: sub


bindings:
  tcp_server_a:
    type: tcp
    kind: server
    options:
      host: 0.0.0.0
      port: 7114
    exit: http_server_a
  http_server_a:
    type: http
    kind: server
    telemetry:
      exporters:
        stdout:
          type: stdout
    options:
      access-control:
        policy: cross-origin
      authorization:
        lsauthgaurd:
          credentials:
            headers:
              authorization: Bearer {credentials}
            query:
              access_token: "{credentials}"


      versions:
        - h2
        - http/1.1
    routes:
      - when:
          - headers:
              :scheme: http
              :authority: ${{env.AUTHORITY_URL}}
              :path: /updates
          - headers:
              :scheme: https
              :authority: ${{env.AUTHORITY_URL}}
              :path: /updates
        exit: updates-sse_server

      - when:
          - headers:
              :scheme: http
              :authority: ${{env.AUTHORITY_URL}}
              :path: /live-trades
          - headers:
              :scheme: https
              :authority: ${{env.AUTHORITY_URL}}
              :path: /live-trades
        exit: updates-sse_server

      - when:
          - headers:
              :scheme: http
              :authority: ${{env.AUTHORITY_URL}}
          - headers:
              :scheme: https
              :authority: ${{env.AUTHORITY_URL}}
              # :path: /api/*
        exit: http-kafka_proxy_a

  updates-sse_server:
    type: sse
    kind: server
    exit: updates_sse_kafka_mapping
  updates_sse_kafka_mapping:
    type: sse-kafka
    kind: proxy
    routes:
      - when:
          - path: /updates
        with:
          topic: ordermanager.ui.orders
        exit: sse_kafka_cache_client

      - when:
          - path: /live-trades
        with:
          topic: rtrs.realtime.trades.ui.outbound
        exit: sse_kafka_cache_client
  sse_kafka_cache_client:
    type: kafka
    kind: cache_client
    exit: sse_kafka_cache_server
  sse_kafka_cache_server:
    type: kafka
    kind: cache_server
    options:
      bootstrap:
        - ordermanager.ui.orders
        - rtrs.realtime.trades.ui.outbound
    exit: sse_kafka_client
  sse_kafka_client:
    type: kafka
    kind: client
    telemetry:
      exporters:
        stdout:
          type: stdout
    options:
      servers:
        - ${{env.KAFKA_BOOTSTRAP_SERVER}}
      sasl:
        mechanism: scram-sha-256
        username: ${{env.SASL_USERNAME}}
        password: ${{env.SASL_PASSWORD}}
    exit: ${{env.TRANSPORT_CLIENT}}

  http-kafka_proxy_a:
    type: http-kafka
    kind: proxy
    telemetry:
      exporters:
        stdout:
          type: stdout
    routes:
      - when:
          - method: PUT
            path: /historical-trades/{id}
          - method: GET
            path: /historical-trades/{id};cid={correlationId}
        exit: kafka_cache_client_b
        with:
          capability: produce
          topic: rtrs.historical.query.ui.inbound # Kafka topic for historical trades
          key: ${params.id} # Idempotency key for request deduplication
          reply-to: rtrs.historical.trades.ui.outbound # Outbound topic for reply
          overrides:
            zilla:identity: ${guarded['lsauthgaurd'].identity}
          async:
            location: /historical-trades/${params.id};cid=${correlationId}
        # guarded:
        #   lsauthgaurd:
        #     - write:Admin
        #     - read:Admin

  kafka_cache_client_b:
    type: kafka
    kind: cache_client
    telemetry:
      metrics:
        - stream.*
        - http.*
    exit: kafka_cache_server_b
  kafka_cache_server_b:
    type: kafka
    kind: cache_server
    telemetry:
      metrics:
        - stream.*
        - http.*
    options:
      bootstrap:
        - rtrs.historical.trades.ui.outbound

    exit: kafka_client_b
  kafka_client_b:
    type: kafka
    kind: client
    telemetry:
      metrics:
        - stream.*
        - http.*
    options:
      servers:
        - ${{env.KAFKA_BOOTSTRAP_SERVER}}
      sasl:
        mechanism: scram-sha-256
        username: ${{env.SASL_USERNAME}}
        password: ${{env.SASL_PASSWORD}}
    exit: ${{env.TRANSPORT_CLIENT}}
  tls_client_a:
    type: tls
    kind: client
    exit: tcp_client_b
  tcp_client_b:
    type: tcp
    kind: client
telemetry:
  exporters:
    stdout:
      type: stdout

Expected Behavior:
The zilla:identity field should be populated with the sub claim from the JWT token.

Actual Behavior:
The identity value is not being fetched or populated in the zilla:identity field.

[ankitk-me]

Hey @JVaghela-Fintech

I'm able to run http-kafka proxy with JWT enabled and zilla:identity field is populated as expected.

This is my http-kafka proxy config

  north_http_kafka_mapping:
    type: http-kafka
    kind: proxy
    routes:
      - guarded:
          authn_jwt:
            - echo:stream
        when:
          - method: POST
            path: /items
        exit: north_kafka_cache_client
        with:
          capability: produce
          topic: items-snapshots
          key: ${idempotencyKey}
          overrides:
            zilla:identity: ${guarded['authn_jwt'].identity}

In your shared config, it looks like the guarded config is not defined. Which explain this behaviour.

Can you try to update your config with below-mentioned changes and run again?

http-kafka_proxy_a:
  type: http-kafka
  kind: proxy
  telemetry:
    exporters:
      stdout:
        type: stdout
  routes:
    - guarded:
        lsauthgaurd:
          - write:Admin
          - read:Admin
      when:
        - method: PUT
          path: /historical-trades/{id}
        - method: GET
          path: /historical-trades/{id};cid={correlationId}
      exit: kafka_cache_client_b
      with:
        capability: produce
        topic: rtrs.historical.query.ui.inbound # Kafka topic for historical trades
        key: ${params.id} # Idempotency key for request deduplication
        reply-to: rtrs.historical.trades.ui.outbound # Outbound topic for reply
        overrides:
          zilla:identity: ${guarded['lsauthgaurd'].identity}
        async:
          location: /historical-trades/${params.id};cid=${correlationId}

[ankitk-me]

Closing this ticket, as the observed behaviour is consistent with expected behaviour and this issue can be solved with suggested config change.

We have also created an enhancement request(#1518) to populate zilla:identity without requiring guarded route declarations.