diff options
| author | Evgeny Khramtsov <ekhramtsov@process-one.net> | 2019-10-26 11:03:19 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-10-26 11:03:19 +0300 |
| commit | a20281803747d183202c8e7f2c653fd223c1c6da (patch) | |
| tree | 8242923746b336c9738bed0dbaa15923184ec2ac /src | |
| parent | Improve jwt_key validator (diff) | |
| parent | Add option for JWT field name containing JID (diff) | |
Merge pull request #3069 from nosnilmot/jwt-custom-jid-field
Add option for JWT field name containing JID
Diffstat (limited to 'src')
| -rw-r--r-- | src/ejabberd_auth_jwt.erl | 6 | ||||
| -rw-r--r-- | src/ejabberd_option.erl | 8 | ||||
| -rw-r--r-- | src/ejabberd_options.erl | 3 |
3 files changed, 13 insertions, 4 deletions
diff --git a/src/ejabberd_auth_jwt.erl b/src/ejabberd_auth_jwt.erl index 71fbabb45..8fce8e39c 100644 --- a/src/ejabberd_auth_jwt.erl +++ b/src/ejabberd_auth_jwt.erl @@ -86,6 +86,7 @@ use_cache(_) -> %%%---------------------------------------------------------------------- check_jwt_token(User, Server, Token) -> JWK = ejabberd_option:jwt_key(Server), + JidField = ejabberd_option:jwt_jid_field(Server), try jose_jwt:verify(JWK, Token) of {true, {jose_jwt, Fields}, Signature} -> ?DEBUG("jwt verify: ~p - ~p~n", [Fields, Signature]), @@ -97,7 +98,7 @@ check_jwt_token(User, Server, Token) -> Now = erlang:system_time(second), if Exp > Now -> - case maps:find(<<"jid">>, Fields) of + case maps:find(JidField, Fields) of error -> false; {ok, SJID} -> @@ -121,6 +122,3 @@ check_jwt_token(User, Server, Token) -> false end. -%% TODO: auth0 username is defined in 'jid' field, but we should -%% allow customizing the name of the field containing the username -%% to adapt to custom claims. diff --git a/src/ejabberd_option.erl b/src/ejabberd_option.erl index fde41e78d..773775743 100644 --- a/src/ejabberd_option.erl +++ b/src/ejabberd_option.erl @@ -51,6 +51,7 @@ -export([hosts/0]). -export([include_config_file/0, include_config_file/1]). -export([jwt_auth_only_rule/0, jwt_auth_only_rule/1]). +-export([jwt_jid_field/0, jwt_jid_field/1]). -export([jwt_key/0, jwt_key/1]). -export([language/0, language/1]). -export([ldap_backups/0, ldap_backups/1]). @@ -431,6 +432,13 @@ jwt_auth_only_rule() -> jwt_auth_only_rule(Host) -> ejabberd_config:get_option({jwt_auth_only_rule, Host}). +-spec jwt_jid_field() -> binary(). +jwt_jid_field() -> + jwt_jid_field(global). +-spec jwt_jid_field(global | binary()) -> binary(). +jwt_jid_field(Host) -> + ejabberd_config:get_option({jwt_jid_field, Host}). + -spec jwt_key() -> jose_jwk:key() | 'undefined'. jwt_key() -> jwt_key(global). diff --git a/src/ejabberd_options.erl b/src/ejabberd_options.erl index 285e38b3e..ba2fdf02f 100644 --- a/src/ejabberd_options.erl +++ b/src/ejabberd_options.erl @@ -425,6 +425,8 @@ opt_type(jwt_key) -> econf:fail({read_file, Reason, Path}) end end); +opt_type(jwt_jid_field) -> + econf:binary(); opt_type(jwt_auth_only_rule) -> econf:atom(). @@ -653,6 +655,7 @@ options() -> {websocket_ping_interval, timer:seconds(60)}, {websocket_timeout, timer:minutes(5)}, {jwt_key, undefined}, + {jwt_jid_field, <<"jid">>}, {jwt_auth_only_rule, none}]. -spec globals() -> [atom()]. |