Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replace use of JMES paths. #1229

Open
partim opened this issue Aug 6, 2024 · 0 comments · May be fixed by #1232
Open

Replace use of JMES paths. #1229

partim opened this issue Aug 6, 2024 · 0 comments · May be fixed by #1232

Comments

@partim
Copy link
Member

partim commented Aug 6, 2024

This issue is a proposal to replace the use of JMES paths for translating OpenID claims with system using a small number of configuration attributes. This is necessary since the jmespath crate won’t currently compile together with other dependencies and seems to be mostly unmaintained.

Current Design

In OpenID, an authenticated user has a number of properties attached to it in what is known as claims. These are contained a JSON object with each claim as a member. The values for the claim can be any valid JSON value, i.e., it can be very complex, but in practice they seem to be either simple values or arrays of simple values.

A JMES path is used to select a, possibly nested, value from this claims object, optionally transform it into another value by way of a custom regexp substitution function and assign it to a property that can then be used within Krill.

Proposed New Design

Instead of using a JMES path to allow users to transform claims in whatever way they like, we use a strict four step approach:

  1. Pick a claim based on its name.
  2. Match the claim’s value using a regular expression.
  3. Substitute the claim’s value using a regexp substitution possibly using submatches from the previous step.
  4. Assign the result to a target property.

Only if the named claim is available and the regular expression matches will the value be transformed and assigned. If the claim’s value is an array, the first matching element of the array is used.

This will configure similarly to the current system but with the jmespath property split into three properties:

  • claim is the name of the claim,
  • match is the regular expression to match the claim’s value against,
  • subst is the substitution expression to apply to the match.

In addition, the current optional dest property allows selecting the Krill property to apply the value to.

Example

Here’s the new version of the Azure Active Directory example from the Krill documentation:

[auth_openidconnect.claims]
ro_role = { claim = "groups", match = "gggggggg-gggg-gggg-gggg-gggggggggggg", subst = "readonly", dest = "role" }
rw_role = { claim = "groups", match = "hhhhhhhh-hhhh-hhhh-hhhh-hhhhhhhhhhhh", subst = "readwrite", dest = "role" }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant