question: ACL authorization based on custom token fields

[lukedirtwalker]

A clear and concise description of what you want to accomplish.

Currently there is no way to do ACL authorization on custom fields. E.g on Auth0 it is not allowed to specify the roles field in a token so we put it in https://example.org/roles, but the ACL will not see this field. This is because there is a distinction in the User type. The fields in tkv are accessible in the ACL but fields in the mkv map not. (Authorization uses this https://github.com/greenpau/go-authcrunch/blob/eb8b39e4299a51fe2cc8f775455cd87a270ae7f9/pkg/user/user.go#L194 method).

Is there a specific reason to have this distinction? Couldn't we just expose the whole mkv for the authorization? I would be happy to write a patch, but I'm not sure how to best solve this.

Thanks a lot for your feedback.

[lukedirtwalker]

Digging deeper I realized that we can't really determine the data type in this case, and we would just fail to parse the ACL. Not sure what's the best solution to this. It would be great if there would be someway to "rewrite" properties in the token before doing the ACLing. But not sure how this would be plugged in the nicest way.

[CrazyPython]

I would like to be able to map auth0 roles to caddy-security roles.