ad-l
commented
1 month ago Yes, that sounds right to me. Note that for authorization we must be able to inspect the headers of each token in the application code, e.g. to verify each issuer
Open achamayou opened 1 month ago
ad-l
commented
1 month ago Yes, that sounds right to me. Note that for authorization we must be able to inspect the headers of each token in the application code, e.g. to verify each issuer
achamayou
commented
1 month ago Yes, this is exposed through request.caller.jwt for jwt_auth, but for the new policy will be a request.caller.jwts array of JwtAuthnIdentity.
Some applications may want to authorize user input using multiple bearer tokens, for example an identity and an MAA token.
While there is no standard way to do that, we could support a slightly extended Bearer authentication method for the Authorization header, such that a user can pass:
Authorize: Bearers b64JWT b64JWT ...A custom authentication policy perhaps named
jwts_authormultiple_jwt_authwould apply the logic injwt_authover each token individually, and succeed if all of them pass. A new identity object would expose resolved claims in a collection, for the application to consume.