Validate multiple claims in an allow rule?

[philpennock]

How amenable are you to having caddy-jwt be able to validate multiple claims? Any particular rules if I were to work on this and submit a PR?

Scenario: have set up Caddy using caddy-jwt and tarent/loginsrv where the latter can speak to multiple OAuth2 providers. I have GitHub configured, I'd like to configure an alternative to use, but at present it looks like the allow rules would mean that if I add a second provider then someone in that provider who has the same login name (sub) from one of my valid users in the first-provider would then be authorized.

So I want to be able to assert both the origin and the sub at the same time.

Is this functionality in-scope for this plugin or should I be looking at some other generic authorization plugin, layered atop caddy-jwt, instead?

Tentatively thinking that an AccessRule would have a slice of Claim, Value pairs and validation would check that the length of remaining args is zero modulo 2, instead of being exactly 2, and adjust what's stored to match the adjusted model; then amend the AccessRules evaluation in jwt.go. Sound sane?

[BTBurke]

Hi Phil,

I think this could work. Although I think it might be easier to add a new directive to the Caddyfile for processing multiple concurrent claims instead of modifying the behavior of the current allow and deny.

Something like:

allow_only sub=person origin=github

I don't think you would need a corresponding deny rule to implement this same behavior, so it would be pretty easy to add as a separate step in the process and not have to touch any of the existing tests.