How to check for specific audience occurence?

kjdev / nginx-auth-jwt

Nginx module for the authenticate using JWT

MIT License

27 stars 17 forks source link

How to check for specific audience occurence? #10

Closed pietzschke closed 11 months ago

pietzschke commented 11 months ago

With auth_jwt_validate_aud you can validate for a specific value in the aud claim. But how to match against a set of audiences? E.g.: aud in token: aud1@example.com. Configured allowed audiences: aud1@example.com,aud2@example.com

It's false because aud2@example.com does not occur in the string. Any chance to delimit the string and check against one of the values?

kjdev commented 11 months ago

Multiple permit values are not supported and will be corrected

pietzschke commented 11 months ago

Can the function "auth_jwt_require_claim" used to verify the audience?

kjdev commented 11 months ago

auth_jwt_require_claim could handle this.

set $expected '"test1.audience.example.com"';
auth_jwt_require_claim aud eq $expected;

for arrays

set $expected '["test10.audience.example.com"]';
auth_jwt_require_claim aud intersect $expected;

# PAYLOAD:DATA
#  "aud": [
#    "test10.audience.example.com",
#    "test10.audience.test.com"
#  ]

pietzschke commented 11 months ago

Thanks!