Open achamayou opened 1 month ago
Yes, that sounds right to me. Note that for authorization we must be able to inspect the headers of each token in the application code, e.g. to verify each issuer
Yes, this is exposed through request.caller.jwt
for jwt_auth
, but for the new policy will be a request.caller.jwts
array of JwtAuthnIdentity
.
Some applications may want to authorize user input using multiple bearer tokens, for example an identity and an MAA token.
While there is no standard way to do that, we could support a slightly extended Bearer authentication method for the Authorization header, such that a user can pass:
Authorize: Bearers b64JWT b64JWT ...
A custom authentication policy perhaps named
jwts_auth
ormultiple_jwt_auth
would apply the logic injwt_auth
over each token individually, and succeed if all of them pass. A new identity object would expose resolved claims in a collection, for the application to consume.