25
1
mirror of https://github.com/processone/ejabberd.git synced 2024-11-20 16:15:59 +01:00

Merge pull request #3069 from nosnilmot/jwt-custom-jid-field

Add option for JWT field name containing JID
This commit is contained in:
Evgeny Khramtsov 2019-10-26 11:03:19 +03:00 committed by GitHub
commit a202818037
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 13 additions and 4 deletions

View File

@ -86,6 +86,7 @@ use_cache(_) ->
%%%----------------------------------------------------------------------
check_jwt_token(User, Server, Token) ->
JWK = ejabberd_option:jwt_key(Server),
JidField = ejabberd_option:jwt_jid_field(Server),
try jose_jwt:verify(JWK, Token) of
{true, {jose_jwt, Fields}, Signature} ->
?DEBUG("jwt verify: ~p - ~p~n", [Fields, Signature]),
@ -97,7 +98,7 @@ check_jwt_token(User, Server, Token) ->
Now = erlang:system_time(second),
if
Exp > Now ->
case maps:find(<<"jid">>, Fields) of
case maps:find(JidField, Fields) of
error ->
false;
{ok, SJID} ->
@ -121,6 +122,3 @@ check_jwt_token(User, Server, Token) ->
false
end.
%% TODO: auth0 username is defined in 'jid' field, but we should
%% allow customizing the name of the field containing the username
%% to adapt to custom claims.

View File

@ -51,6 +51,7 @@
-export([hosts/0]).
-export([include_config_file/0, include_config_file/1]).
-export([jwt_auth_only_rule/0, jwt_auth_only_rule/1]).
-export([jwt_jid_field/0, jwt_jid_field/1]).
-export([jwt_key/0, jwt_key/1]).
-export([language/0, language/1]).
-export([ldap_backups/0, ldap_backups/1]).
@ -431,6 +432,13 @@ jwt_auth_only_rule() ->
jwt_auth_only_rule(Host) ->
ejabberd_config:get_option({jwt_auth_only_rule, Host}).
-spec jwt_jid_field() -> binary().
jwt_jid_field() ->
jwt_jid_field(global).
-spec jwt_jid_field(global | binary()) -> binary().
jwt_jid_field(Host) ->
ejabberd_config:get_option({jwt_jid_field, Host}).
-spec jwt_key() -> jose_jwk:key() | 'undefined'.
jwt_key() ->
jwt_key(global).

View File

@ -425,6 +425,8 @@ opt_type(jwt_key) ->
econf:fail({read_file, Reason, Path})
end
end);
opt_type(jwt_jid_field) ->
econf:binary();
opt_type(jwt_auth_only_rule) ->
econf:atom().
@ -653,6 +655,7 @@ options() ->
{websocket_ping_interval, timer:seconds(60)},
{websocket_timeout, timer:minutes(5)},
{jwt_key, undefined},
{jwt_jid_field, <<"jid">>},
{jwt_auth_only_rule, none}].
-spec globals() -> [atom()].