search

ueberauth / guardian

Elixir Authentication
MIT License
3.4k stars 381 forks source link

Provide a way to retrieve verifying secret at runtime using connection information #690

Open rbino opened 2 years ago

rbino commented 2 years ago

Hi, I'm using Guardian to perform authentication on some APIs. Those APIs are only responsible of verifying JWTs, so they just have access to the public key as those tokens are emitted and signed by a third party.

To support multitenancy, I have some code similar to this in my application (the :current_tenant in the conn gets populated by another upstream plug which in turn populates it based on the slug in the path):

defmodule MyAppWeb.VerifyHeader do
  alias Guardian.Plug.VerifyHeader, as: GuardianVerifyHeader
  alias JOSE.JWK

  def init(opts) do
    GuardianVerifyHeader.init(opts)
  end

  def call(conn, opts) do
    secret = get_secret(conn)

    merged_opts =
      opts
      |> Keyword.merge(secret: secret)

    GuardianVerifyHeader.call(conn, merged_opts)
  end

  defp get_secret(conn) do
    public_key = conn.assigns[:current_tenant].public_key
    case JWK.from_pem(public_key) do
      %JWK{} = secret ->
        secret        
      _ ->
        nil
    end
  end
end

and then I use MyApp.VerifyHeader instead of Guardian.Plug.VerifyHeader.

Now, all of this works for my specific usecase, but I feel that it would be nice to have something similar to the Guardian.Token.Jwt.SecretFetcher at the Plug level, so you could retrieve different secrets at runtime based on information contained in the Plug.

I assume this could be implemented as a behaviour where you have to implement the fetch_verifying_secret function, or you could pass an MFA to Guardian.Plug.VerifyHeader. I'd be interested on submitting a PR if you think this feature could be useful (in that case let me know which of the approaches you'd prefer).

github-actions[bot] commented 2 weeks ago

This issue has been automatically marked as "stale:discard". If this issue still relevant, please leave any comment (for example, "bump"), and we'll keep it open. We are sorry that we haven't been able to prioritize it yet. If you have any new additional information, please include it with your comment.

rbino commented 2 weeks ago

Bump