You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2022/05/24 10:41:16 UTC

[GitHub] [couchdb] meveno commented on pull request #3166: feat(auth): Allow a custom JWT claim for roles

meveno commented on PR #3166:
URL: https://github.com/apache/couchdb/pull/3166#issuecomment-1135753168

   Hello.
   I'm trying to use JWT security access with a keycloak access token.
   But I can manage to make it work with this properly.
   
   How is the syntax for json nested objects inside JWT token ?
   
   ```
   [jwt_auth]
   required_claims = exp, {iss, "http://localhost:9080/auth/realms/ovalt"}
   roles_claim_name = resource_access.web-pgc.roles
   ```
   
   When I use another claim of type 'array' without nested objects like "aud", it works ...
   But the values defined in aud are not really roles ...
   
   ```
   [jwt_auth]
   required_claims = exp, {iss, "http://localhost:9080/auth/realms/ovalt"}
   roles_claim_name = aud
   ```
   
   The token looks like this :
   
   ```
   {
     "exp": 1653424065,
     "iat": 1653388086,
     "auth_time": 1653388065,
     "jti": "e1689137-43e7-47f2-a87f-c2111ea30f7d",
     "iss": "http://localhost:9080/auth/realms/ovalt",
     "aud": [
       "web-pgc",
       "account"
     ],
     "sub": "df053ed9-a9ce-41bf-9143-85e75ee2657c",
     "typ": "Bearer",
     "azp": "web-cockpit",
     "nonce": "f122afad-f839-4f11-89ba-84cd9cb57802",
     "session_state": "606b3c5c-eb5c-4a29-814e-1e964104db3e",
     "acr": "0",
     "allowed-origins": [
       "http://localhost:8080",
       "http://localhost:3000"
     ],
     "realm_access": {
       "roles": [
         "default-roles-ovalt",
         "offline_access",
         "uma_authorization"
       ]
     },
     "resource_access": {
       "web-pgc": {
         "roles": [
           "pgc_user"
         ]
       },
       "account": {
         "roles": [
           "manage-account",
           "manage-account-links",
           "view-profile"
         ]
       }
     },
     "scope": "openid email profile",
     "sid": "606b3c5c-eb5c-4a29-814e-1e964104db3e",
     "email_verified": false,
     "preferred_username": "testuser"
   }
   ```
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org