25
1
mirror of https://github.com/processone/ejabberd.git synced 2024-11-24 16:23:40 +01:00

Merge pull request #3069 from nosnilmot/jwt-custom-jid-field

Add option for JWT field name containing JID
This commit is contained in:
Evgeny Khramtsov 2019-10-26 11:03:19 +03:00 committed by GitHub
commit a202818037
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 13 additions and 4 deletions

View File

@ -86,6 +86,7 @@ use_cache(_) ->
%%%---------------------------------------------------------------------- %%%----------------------------------------------------------------------
check_jwt_token(User, Server, Token) -> check_jwt_token(User, Server, Token) ->
JWK = ejabberd_option:jwt_key(Server), JWK = ejabberd_option:jwt_key(Server),
JidField = ejabberd_option:jwt_jid_field(Server),
try jose_jwt:verify(JWK, Token) of try jose_jwt:verify(JWK, Token) of
{true, {jose_jwt, Fields}, Signature} -> {true, {jose_jwt, Fields}, Signature} ->
?DEBUG("jwt verify: ~p - ~p~n", [Fields, Signature]), ?DEBUG("jwt verify: ~p - ~p~n", [Fields, Signature]),
@ -97,7 +98,7 @@ check_jwt_token(User, Server, Token) ->
Now = erlang:system_time(second), Now = erlang:system_time(second),
if if
Exp > Now -> Exp > Now ->
case maps:find(<<"jid">>, Fields) of case maps:find(JidField, Fields) of
error -> error ->
false; false;
{ok, SJID} -> {ok, SJID} ->
@ -121,6 +122,3 @@ check_jwt_token(User, Server, Token) ->
false false
end. end.
%% TODO: auth0 username is defined in 'jid' field, but we should
%% allow customizing the name of the field containing the username
%% to adapt to custom claims.

View File

@ -51,6 +51,7 @@
-export([hosts/0]). -export([hosts/0]).
-export([include_config_file/0, include_config_file/1]). -export([include_config_file/0, include_config_file/1]).
-export([jwt_auth_only_rule/0, jwt_auth_only_rule/1]). -export([jwt_auth_only_rule/0, jwt_auth_only_rule/1]).
-export([jwt_jid_field/0, jwt_jid_field/1]).
-export([jwt_key/0, jwt_key/1]). -export([jwt_key/0, jwt_key/1]).
-export([language/0, language/1]). -export([language/0, language/1]).
-export([ldap_backups/0, ldap_backups/1]). -export([ldap_backups/0, ldap_backups/1]).
@ -431,6 +432,13 @@ jwt_auth_only_rule() ->
jwt_auth_only_rule(Host) -> jwt_auth_only_rule(Host) ->
ejabberd_config:get_option({jwt_auth_only_rule, Host}). ejabberd_config:get_option({jwt_auth_only_rule, Host}).
-spec jwt_jid_field() -> binary().
jwt_jid_field() ->
jwt_jid_field(global).
-spec jwt_jid_field(global | binary()) -> binary().
jwt_jid_field(Host) ->
ejabberd_config:get_option({jwt_jid_field, Host}).
-spec jwt_key() -> jose_jwk:key() | 'undefined'. -spec jwt_key() -> jose_jwk:key() | 'undefined'.
jwt_key() -> jwt_key() ->
jwt_key(global). jwt_key(global).

View File

@ -425,6 +425,8 @@ opt_type(jwt_key) ->
econf:fail({read_file, Reason, Path}) econf:fail({read_file, Reason, Path})
end end
end); end);
opt_type(jwt_jid_field) ->
econf:binary();
opt_type(jwt_auth_only_rule) -> opt_type(jwt_auth_only_rule) ->
econf:atom(). econf:atom().
@ -653,6 +655,7 @@ options() ->
{websocket_ping_interval, timer:seconds(60)}, {websocket_ping_interval, timer:seconds(60)},
{websocket_timeout, timer:minutes(5)}, {websocket_timeout, timer:minutes(5)},
{jwt_key, undefined}, {jwt_key, undefined},
{jwt_jid_field, <<"jid">>},
{jwt_auth_only_rule, none}]. {jwt_auth_only_rule, none}].
-spec globals() -> [atom()]. -spec globals() -> [atom()].