Connection type in scoped signing keys is not limited to MQTT

[AmbersG]

Observed behavior

We have an account called "test". There we have a user called mqtt and it works as expected.

+-------------------------------------------------------------------------------------+
|                                        User                                         |
+--------------------------+----------------------------------------------------------+
| Name                     | mqtt                                                     |
| User ID                  | xxxxxxxxxxxxxxxX |
| Issuer ID                | xxxxxxxxxxxxxxxxx|
| Issued                   | 2022-01-31 19:02:48 UTC                                  |
| Expires                  |                                                          |
| Bearer Token             | Yes                                                      |
| Response Permissions     | Not Set                                                  |
+--------------------------+----------------------------------------------------------+
| Max Msg Payload          | Unlimited                                                |
| Max Data                 | Unlimited                                                |
| Max Subs                 | Unlimited                                                |
| Network Src              | Any                                                      |
| Time                     | Any                                                      |
+--------------------------+----------------------------------------------------------+
| Allowed Connection Types | MQTT                                                     |
+--------------------------+----------------------------------------------------------+

Then we created SK and another user signed by this SK, here it is:

+---------------------------------------------------------------------------+
|                                   User                                    |
+----------------+----------------------------------------------------------+
| Name           | sk                                                  |
| User ID        | Xxxxxxxxxxxxxxx
| Issuer ID      | xxxxxxxxxxxxxxx |
| Issuer Account | xxxxxxxxxxxx |
| Issued         | 2024-08-06 11:12:23 UTC                                  |
| Expires        |                                                          |
| Issuer Scoped  | Yes                                                      |
+----------------+----------------------------------------------------------+

+-------------------------------------------------------------------------------------+
|                            Scoped Signing Key - Details                             |
+--------------------------+----------------------------------------------------------+
| Key                      | XXXXXXXXXXXXXX|
| role                     | test                                                |
| Max Responses            | 1                                                        |
| Response Permission TTL  | 0s                                                       |
| Max Msg Payload          | Unlimited                                                |
| Max Data                 | Unlimited                                                |
| Max Subs                 | Unlimited                                                |
| Network Src              | Any                                                      |
| Time                     | Any                                                      |
| Bearer Token             | Yes                                                      |
+--------------------------+----------------------------------------------------------+
| Allowed Connection Types | MQTT                                                     |
+--------------------------+----------------------------------------------------------+

Expected behavior

Our expectation is that we can only use MQTT connection type there.
But reality both nats and mqtt connections work:

❯ nats sub 'foo' --creds test
09:31:55 Subscribing on foo

[#1] Received on "foo"
hello

Server and client version

2.10.18

Host environment

No response

Steps to reproduce

Provided above

[kozlovic]

@AmbersG Thank you for the report. Could you please describe in details how those 2 users were created, also, do you have auth callout defined in the server? (If you don't know what that is, the answer is likely no ;-)).

[AmbersG]

Hey @kozlovic , they were created with NSC like here -
https://docs.nats.io/using-nats/nats-tools/nsc/signing_keys#scoped-signing-keys
and after that -
nsc edit signing-key --conn-type MQTT
auth callout was not defined in the server

[kozlovic]

@aricart It seems that the jwt.UserClaims in this model (user added from scoped signing keys) does not have AllowedConnectionTypes filled out when the client connects, although the sub permissions are for instance properly populated. Description of the account and user on nsc properly shows that it should be limited to connection type "MQTT", but what is received by the server when the client connects does not. Are we missing a step? (I followed the instructions on https://docs.nats.io/using-nats/nats-tools/nsc/signing_keys#scoped-signing-keys)

[aricart]

The JWT that is received by the server shouldn't have any limits set - as these are defined by the role.
The limits to assign to the user should be those found in the account for that signing key.

[kozlovic]

But how come when I add "allow_sub" properties (not directly in the user, but in the signing key) then they are reflected and visible in the user's JWT claim but not the connection types?
And if it works as expected, how would I get the connection types info from the user JWT then?

[aricart]

The struct not looking like:

"nats": {
  "allowed_connection_types": [
   "MQTT"
  ],
  "data": -1,
  "payload": -1,
  "pub": {},
  "sub": {},
  "subs": -1,
  "type": "user",
  "version": 2
 }
 

[kozlovic]

Ok, we had a meeting with @aricart and I think I understand a bit better what the problem might be.