Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JWT claim as escaped string (not Object) #3696

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

izanbard
Copy link

Further to PRs #3560 and #3692.

Now that is it possible to specify any claim key for the permissions within the JWT, the next step is to allow for OAuth providers that do not support (or only support in certain use cases) object claims. Specifically in the case of AZ B2C extension claims are permitted to be bool, int or string. To over come this limitation is is possible to put the permissions in the claim as a stringified JSON object.

So this below (as it appears when using the keycloak example in the README.md)

"mediamtx_permissions": [
    {
        "action": "read",
        "path": "~^mypath"
    }
]

Becomes:

"mediamtx_permissions": "[{\"action\": \"read\", \"path\": \"~^mypath\" }]"

The changes in #3692 capture the rawPermissions as part of the claim extraction process, the changes in this PR inject at this point to determine if the json.RawMessage is a sting based on the leading character. If it is a string then a string conversion is conducted to unquote it. The result is then passed on to the remainder of the extraction function.

(@aler9 you, having read my poor attempts at go, will no doubt realise that go is not my first language, so I assume there is a better way of checking to see if the rawPermissions is in fact a string - if you know it then i am all ears)

Add a check to spot is the raw JWT claim is a string (rather than an object) and destringify it before unmarshalling
Add a check to spot is the raw JWT claim is a string (rather than an object) and destringify it before unmarshalling
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant