search

kjdev / nginx-auth-jwt

Nginx module for the authenticate using JWT
MIT License
27 stars 17 forks source link

Unclear usage of intersect for arrays #15

Closed col-panic closed 1 month ago

col-panic commented 1 month ago

I have the following JWT claim

 "realm_access": {
    "roles": [
      "license-admin",
      "rdus-admin"
    ]
  }

and for the location I protect I have to check if license-admin is part of the array.

I tried with the location setting

auth_jwt_allow_nested;
auth_jwt_require_claim realm_access.roles intersect '["license-admin"]';

but this fails with

rejected due to realm_access.roles claim requirement: "["license-admin","rdus-admin"]" is not "intersect" "["license-admin"]" while sending to client

I see that the check should just be the other way round! But I'm not sure on how to use this? I guess it should be "["license-admin"]" intersect "["license-admin","rdus-admin"]" but this doesn't seem to be feasible to implement!

What is the correct way to realize this?

col-panic commented 1 month ago

I had a look at the test input https://github.com/kjdev/nginx-auth-jwt/blob/3ec16e9d8af12fd705408813e87adc8c1480c6cf/t/conf/jwt.conf#L48 and the resp. test in https://github.com/kjdev/nginx-auth-jwt/blob/3ec16e9d8af12fd705408813e87adc8c1480c6cf/t/auth_jwt_allow_nested.t#L19 it seems like you HAVE TO set the string as a variable and you can't use a static string! So doing it like this works

set $expected_role '["license-admin"]';
auth_jwt_require_claim realm_access.roles intersect $expected_role;

maybe this should be made clearer in the documentation!

kjdev commented 1 month ago 
Syntax: auth_jwt_require_claim claim_name operator $variable | json=string | string;
Default: -
Context: http, server, location

How about the following settings.

auth_jwt_require_claim realm_access.roles intersect json=["license-admin"];

Static strings are treated as plain strings and must be recognized as JSON strings.

col-panic commented 1 month ago

@kjdev yes, you are right, this

auth_jwt_require_claim realm_access.roles intersect json=["license-admin"];

does work! I guess it would be good if this one could be additionally documented! Thanks a lot!

col-panic commented 1 month ago

It is somehow, if you could just add an example like the one above it would be great, it is not really clear for the provided example where you have json=234342323 :)

kjdev commented 1 month ago

Added sample to REAMDME.md

https://github.com/kjdev/nginx-auth-jwt/commit/6f9df6dc38f0604f75420fe6f2e3ff9263bbb283

col-panic commented 1 month ago

Thats great! Thank you very much for your help!