Skip to content

Commit

Permalink
README.md: add sample "require sub=joe" authorization expression
Browse files Browse the repository at this point in the history 
Signed-off-by: Hans Zandbelt <hans.zandbelt@openidc.com>
  • Loading branch information
@zandbelt
zandbelt committed Jun 20, 2024
1 parent 3f12c92 commit 76102f0
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,12 +24,16 @@ OAuth2TokenVerify [ introspect | jwk_uri | metadata | jwk | plain | base64 | bas
"~*^Bearer\s+(?<token>[\S]+)$" $token;
}
map $pfc_introspect_sub $valid_sub_joe {
"joe" 1;
}
server {
listen 7070;
server_name nginx;
#
# introspection
# introspection with a sample "require sub=joe" authorization expression
#
location /oauth2/pingfed/introspect {
Expand All @@ -41,6 +45,8 @@ OAuth2TokenVerify [ introspect | jwk_uri | metadata | jwk | plain | base64 | bas
OAuth2Claim username $pfc_introspect_username;
OAuth2Claim active $pfc_introspect_active;
OAuth2Require $valid_sub_joe;
proxy_set_header OAUTH2_CLAIM_sub $pfc_introspect_sub;
proxy_set_header OAUTH2_CLAIM_username $pfc_introspect_username;
proxy_set_header OAUTH2_CLAIM_active $pfc_introspect_active;
Expand Down

2 comments on commit 76102f0

@pladen
Copy link

@pladen pladen commented on 76102f0 Jun 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMHO a more complete example would be

map $pfc_introspect_sub $valid_sub {
        "joe"        1;
        "alice"     1;
        "bob"      1;
        "~admin_.+"      1;  #allow
        "~student_.+"    0;  # deny
        default    0; # default to deny
}
OAuth2Require $valid_sub ;

@zandbelt
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agree, see: 872b96e thanks!

Please sign in to comment.