Closed ndushay closed 5 years ago
possibly useful info:
In order for Trellis to authenticate users with JWT, it needs to be able to derive a WebID for a user... a client can provide a standard sub claim with a URL identifying a user or a combination of iss (issuer) and sub (subject) to form a WebID. For example, the simplest token could consist of:
{ "webid": "http://example.com/username" }
Or, this would produce the same WebID:
{ "sub": "username", "iss": "http://example.com/" }
Other claims may be present, but they will be ignored by Trellis.
{"sub":"123aa456-0987-41d2-4321-a177cd72a654","event_id":"1ab2c3de-3456-12a3-b456-4321321cb227","token_use":"access","scope":"openid email","auth_time":1552374716,"iss":"https:\/\/cognito-idp.us-west-2.amazonaws.com\/us-west-2_HUmNIdmhy","exp":1552378316,"version":2,"client_id":"543cav95u0q1rqcags1nedc68a","username":"meatdata.admin"}
the above example omits some of the fields we'd get back, but most relevant are iss
and sub
, which give us a WebID of https://cognito-idp.us-west-2.amazonaws.com/us-west-2_HUmNIdmhy/123aa456-0987-41d2-4321-a177cd72a654
for the user meatdata.admin
. also, the email address does not come in the JWT payload (was not omitted as an edit here). but it is possible to use the CLI invocation described by https://github.com/LD4P/sinopia_server/issues/79#issuecomment-475142864 to look up a user's info (incl sub
) either by username or by email address.
See LD4P/sinopia_server#79; this code repo is where we are going to get from user emails to the current cognito webids.
The current webids for admins are needed for webACL work.
Examples of user lookup (by email) w/ AWS CLI, see our terraform repo for AWS CLI setup: https://github.com/LD4P/sinopia_server/issues/79#issuecomment-475142864 . This gets you a
sub
field for the user, which you can concat w/ knowniss
URL to get webID trellis derives, see trellis auth wiki page.