markusmueller commented on PR #11059: URL: https://github.com/apache/apisix/pull/11059#issuecomment-2045513351
Yes, I'm suggesting additional config variables and reuse of existing methods. Let me illustrate and hope it gets more clear :-) The plugin is using [lua-resty-openidc](https://github.com/zmartzone/lua-resty-openidc/tree/9f3a4fcade930f6f38ee0cb43cabf50cebffbcc9) for JWT validation. Instead of implementing your own claim validation the idea is to reuse existing methods: 1. Find a JSON representation of the JWT validators supported by `lua-resty-openidc` and add it to the plugin config (validators are implemented in `lua-resty-jwt` see for example: https://github.com/SkyLothar/lua-resty-jwt/blob/master/t/validators.t) 3. Instantiate the validator(s) according to the configuration, chain them if its multiple instances 4. Pass the validator(s) to https://github.com/apache/apisix/blob/4df549c21278fbb99a1efba160b2ac9119ce4e1f/apisix/plugins/openid-connect.lua#L373https://docs.github.com/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax Rough draft of the additional config properties: ```{ "type": "array", "items": { "type": "object", "properties": { "type": { "type": "string", "title": "type", "enum": [ "matches, equals" ] }, "argument": { "type": "string", "title": "argument", "description": "Argument for the validator, for example validator of type matches is accepting a regex", "minLength": 1 }, "claim": { "type": "string", "title": "claim", "description": "Name of the claim the validator will be applied to", "minLength": 1 } }, "title": "validator", "required": [ "argument", "claim", "type" ] }, "title": "jwt-validators", "description": "Array of JWT validators applied to the JWT token" } ``` Example config: ``` { "jwt-validators" : [ { "claim" : "aud", "type": "equals", "argument" : "your_client_id" } ] } ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
