Predicate based claim assertion

auth0 / java-jwt

Java implementation of JSON Web Token (JWT)

MIT License

5.89k stars 923 forks source link

Predicate based claim assertion #274

Closed victornoel closed 5 years ago

victornoel commented 6 years ago

In the JWT token I use, there is a claim that can contains multiple values (it's not an array, but it's not the problem here).

I'm facing a problem because I would like to be able to validate that one value is present, not that the scope completely equals a certain string.

It would thus be great if I could write:

JWT
            .require(Algorithm.RSA256(new JWKRSAKeyProvider(new URL(openid.jwks_uri))))
            .withAudience(clientId)
            .withIssuer(openid.issuer)
            .withClaim("scp", scps -> scps.split(" ").contains("val"))); // pseudo-code

So that withClaim could take a Predicate<String> (and also the other available types).

victornoel commented 6 years ago

(ps: I can do a PR :)

lbalmaceda commented 6 years ago

I'm not familiar with the Predicate class but I guess it's Java 8. Adding that would break existing JDK7 users. This is also not a common case. It might be for arrays but not for maps. I'll leave this suggestion open for the next major though👌

Today, you can do the extra check right after the token signature and typical claims are verified.

Verify -> get claim as -> assert contains value

victornoel commented 6 years ago

@lbalmaceda it doesn't have to be the actual Predicate class: you can introduce your own for this purpose. The important thing is for it to have only one method, so that Java 8 users can use lambdas.

Until then, I will use the method you propose :)

victornoel commented 6 years ago

@lbalmaceda actually it's not very nice, because I don't create the verifier in the same place where I use it, and I need to setup the constraints when I create it. It means I have to introduce another abstraction to be able to do that.

rocketraman commented 6 years ago

How about using this custom validator I just created? https://github.com/auth0/java-jwt/pull/290

victornoel commented 6 years ago

@rocketraman great!

That's exactly what I had in mind @lbalmaceda :)

stale[bot] commented 5 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you have not received a response for our team (apologies for the delay) and this is still a blocker, please reply with additional information or just a ping. Thank you for your contribution! 🙇‍♂️