Support "scope" claim as a string in jwt authenticator (#137)

Signed-off-by: Stanislav Zapolsky <[email protected]>
ory · Nov 15, 2018 · ab5240e · ab5240e
1 parent 9a6901d
commit ab5240e
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 0 deletions.
diff --git a/proxy/authenticator_jwt.go b/proxy/authenticator_jwt.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"strings"
 
 	"github.com/dgrijalva/jwt-go"
 	"github.com/ory/fosite"
@@ -127,6 +128,16 @@ func (a *AuthenticatorJWT) Authenticate(r *http.Request, config json.RawMessage,
 		}
 	}
 
+	if scopeClaim, err := mapx.GetString(map[interface{}]interface{}{"scope": claims["scope"]}, "scope"); err == nil {
+		scopeStrings := strings.Split(scopeClaim, " ")
+		scopeInterfaces := make([]interface{}, len(scopeStrings))
+
+		for i := range scopeStrings {
+			scopeInterfaces[i] = scopeStrings[i]
+		}
+		claims["scope"] = scopeInterfaces
+	}
+
 	if a.scopeStrategy != nil {
 		tokenScope := mapx.GetStringSliceDefault(map[interface{}]interface{}{"scope": claims["scope"]}, "scope", []string{})
 		for _, scope := range cf.Scopes {

diff --git a/proxy/authenticator_jwt_test.go b/proxy/authenticator_jwt_test.go
@@ -148,6 +148,28 @@ func TestAuthenticatorJWT(t *testing.T) {
 				},
 			},
 		},
+		{
+			d: "should pass because JWT scope can be a string",
+			r: &http.Request{Header: http.Header{"Authorization": []string{"bearer " + generateJWT(t, jwt.MapClaims{
+				"sub":   "sub",
+				"exp":   now.Add(time.Hour).Unix(),
+				"aud":   []string{"aud-1", "aud-2"},
+				"iss":   "iss-2",
+				"scope": "scope-3 scope-2 scope-1",
+			}, "RS256")}}},
+			config:    `{"target_audience": ["aud-1", "aud-2"], "trusted_issuers": ["iss-1", "iss-2"], "required_scope": ["scope-1", "scope-2"]}`,
+			expectErr: false,
+			expectSess: &AuthenticationSession{
+				Subject: "sub",
+				Extra: map[string]interface{}{
+					"sub":   "sub",
+					"exp":   float64(now.Add(time.Hour).Unix()),
+					"aud":   []interface{}{"aud-1", "aud-2"},
+					"iss":   "iss-2",
+					"scope": []interface{}{"scope-3", "scope-2", "scope-1"},
+				},
+			},
+		},
 		{
 			d: "should pass because JWT is valid and HS256 is allowed",
 			r: &http.Request{Header: http.Header{"Authorization": []string{"bearer " + generateJWT(t, jwt.MapClaims{