Skip to content

Commit

Permalink
feat: inject claims as headers (#27)
Browse files Browse the repository at this point in the history
  • Loading branch information
@IvanJosipovic
IvanJosipovic authored Dec 7, 2022
1 parent a590b52 commit ebe1ac5
Show file tree
Hide file tree
Showing 3 changed files with 68 additions and 5 deletions.
10 changes: 10 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,16 @@ tid=11111111-1111-1111-1111-111111111111
Along with validating the JWT token, the token must have a claim tid=11111111-1111-1111-1111-111111111111 and one of aud=22222222-2222-2222-2222-222222222222
or aud=33333333-3333-3333-3333-333333333333
### Inject claims as headers
The /auth endpoint supports a custom parameter called "inject-claims". The values are comma separated names of claims which will be added to the response headers. These headers can be used with the Ingres Nginx auth_request_set and add_header features.
For example, using the following query string /auth?
tid=11111111-1111-1111-1111-111111111111
&aud=22222222-2222-2222-2222-222222222222
&inject-claims=email
The /auth response will contains headers [email protected]
## Design
![alt text](/docs/validate-jwt.png)
Expand Down
42 changes: 41 additions & 1 deletion ingress-nginx-validate-jwt-tests/AuthTests.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -138,12 +138,44 @@ public static IEnumerable<object[]> GetTests()
},
typeof(UnauthorizedResult)
},

new object[]
{
"?tid=11111111-1111-1111-1111-111111111111&inject-claims=tid",
new List<Claim>
{
new Claim("tid", "11111111-1111-1111-1111-111111111111")
},
typeof(OkResult),
false,
new Dictionary<string, string>()
{
{ "tid", "11111111-1111-1111-1111-111111111111" }
}
},

new object[]
{
"?tid=11111111-1111-1111-1111-111111111111&inject-claims=tid,aud",
new List<Claim>
{
new Claim("tid", "11111111-1111-1111-1111-111111111111"),
new Claim("aud", "22222222-2222-2222-2222-222222222222"),
},
typeof(OkResult),
false,
new Dictionary<string, string>()
{
{ "tid", "11111111-1111-1111-1111-111111111111" },
{ "aud", "22222222-2222-2222-2222-222222222222" },
}
},
};
}

[Theory]
[MemberData(nameof(GetTests))]
public async Task Test1(string query, List<Claim> claims, Type type, bool nullAuth = false)
public async Task Test1(string query, List<Claim> claims, Type type, bool nullAuth = false, Dictionary<string,string> expectedHeaders = null)
{
IdentityModelEventSource.ShowPII = true;

Expand Down Expand Up @@ -176,6 +208,14 @@ public async Task Test1(string query, List<Claim> claims, Type type, bool nullAu
var result = await controller.Get(new CancellationToken());

result.Should().BeOfType(type);

if (expectedHeaders != null)
{
foreach (var expectedHeader in expectedHeaders)
{
httpContext.Response.Headers[expectedHeader.Key].ToString().Should().Be(expectedHeader.Value);
}
}
}
}
}
21 changes: 17 additions & 4 deletions ingress-nginx-validate-jwt/Controllers/AuthController.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,12 +55,25 @@ public async Task<ActionResult> Get(CancellationToken cancellationToken)

foreach (var item in Request.Query)
{
var claim = jwtToken.Claims.First(x => x.Type == item.Key).Value;

if (!item.Value.Contains(claim))
if (item.Key.Equals("inject-claims", StringComparison.InvariantCultureIgnoreCase))
{
Unauthorized.Inc();
return Unauthorized();
foreach (var claimToInject in item.Value.ToString().Split(','))
{
var claimToInjectValue = jwtToken.Claims.First(x => x.Type == claimToInject).Value;

Response.Headers.Add(claimToInject, claimToInjectValue);
}
}
else
{
var claim = jwtToken.Claims.First(x => x.Type == item.Key).Value;

if (!item.Value.Contains(claim))
{
Unauthorized.Inc();
return Unauthorized();
}
}
}

Expand Down

0 comments on commit ebe1ac5

Please sign in to comment.