Merge a7ef54a into 4f7a4dc

TykTechnologies · Dec 7, 2018 · ebb1492 · ebb1492
2 parents 4f7a4dc + a7ef54a
commit ebb1492
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 23 deletions.
diff --git a/apidef/api_definitions.go b/apidef/api_definitions.go
@@ -305,10 +305,8 @@ type ServiceDiscoveryConfiguration struct {
 }
 
 type OIDProviderConfig struct {
-	Issuer               string            `bson:"issuer" json:"issuer"`
-	ClientIDs            map[string]string `bson:"client_ids" json:"client_ids"`
-	ScopeFieldName       string            `bson:"scope_field_name" json:"scope_field_name"`
-	ScopeToPolicyMapping map[string]string `bson:"scope_to_policy_mapping" json:"scope_to_policy_mapping"`
+	Issuer    string            `bson:"issuer" json:"issuer"`
+	ClientIDs map[string]string `bson:"client_ids" json:"client_ids"`
 }
 
 type OpenIDOptions struct {
@@ -355,6 +353,7 @@ type APIDefinition struct {
 	JWTNotBeforeValidationSkew uint64               `bson:"jwt_not_before_validation_skew" json:"jwt_not_before_validation_skew"`
 	JWTSkipKid                 bool                 `bson:"jwt_skip_kid" json:"jwt_skip_kid"`
 	JWTScopeToPolicyMapping    map[string]string    `bson:"jwt_scope_to_policy_mapping" json:"jwt_scope_to_policy_mapping"`
+	JWTScopeClaimName          string               `bson:"jwt_scope_claim_name" json:"jwt_scope_claim_name"`
 	NotificationsDetails       NotificationsManager `bson:"notifications" json:"notifications"`
 	EnableSignatureChecking    bool                 `bson:"enable_signature_checking" json:"enable_signature_checking"`
 	HmacAllowedClockSkew       float64              `bson:"hmac_allowed_clock_skew" json:"hmac_allowed_clock_skew"`

diff --git a/apidef/schema.go b/apidef/schema.go
@@ -105,6 +105,9 @@ const Schema = `{
         "jwt_scope_to_policy_mapping": {
             "type": ["object", "null"]
         },
+        "jwt_scope_claim_name": {
+            "type": "string"
+        },
         "use_keyless": {
             "type": "boolean"
         },

diff --git a/mw_jwt.go b/mw_jwt.go
@@ -307,8 +307,13 @@ func (k *JWTMiddleware) processCentralisedJWT(r *http.Request, token *jwt.Token)
 			true)
 
 		// apply policies from scope if scope-to-policy mapping is specified for this API
-		if k.Spec.JWTScopeToPolicyMapping != nil {
-			if scope := getScopeFromClaim(claims, "scope"); scope != nil {
+		if len(k.Spec.JWTScopeToPolicyMapping) != 0 {
+			scopeClaimName := k.Spec.JWTScopeClaimName
+			if scopeClaimName == "" {
+				scopeClaimName = "scope"
+			}
+
+			if scope := getScopeFromClaim(claims, scopeClaimName); scope != nil {
 				polIDs := []string{
 					basePolicyID, // add base policy as a first one
 				}

diff --git a/mw_openid.go b/mw_openid.go
@@ -23,7 +23,6 @@ type OpenIDMW struct {
 	providerConfiguration     *openid.Configuration
 	provider_client_policymap map[string]map[string]string
 	lock                      sync.RWMutex
-	providerConfigs           map[string]apidef.OIDProviderConfig
 }
 
 func (k *OpenIDMW) Name() string {
@@ -44,12 +43,6 @@ func (k *OpenIDMW) Init() {
 	if err != nil {
 		k.Logger().WithError(err).Error("OpenID configuration error")
 	}
-
-	// prepare map issuer->config to lookup configs when processing requests
-	k.providerConfigs = make(map[string]apidef.OIDProviderConfig)
-	for _, providerConf := range k.Spec.OpenIDOptions.Providers {
-		k.providerConfigs[providerConf.Issuer] = providerConf
-	}
 }
 
 func (k *OpenIDMW) getProviders() ([]openid.Provider, error) {
@@ -120,15 +113,8 @@ func (k *OpenIDMW) ProcessRequest(w http.ResponseWriter, r *http.Request, _ inte
 		return errors.New("Key not authorised"), http.StatusUnauthorized
 	}
 
-	providerConf, ok := k.providerConfigs[iss.(string)]
-	if !ok {
-		logger.Error("No issuer or audiences found!")
-		k.reportLoginFailure("[NOT GENERATED]", r)
-		return errors.New("Key not authorised"), http.StatusUnauthorized
-	}
-
 	// decide if we use policy ID from provider client settings or list of policies from scope-policy mapping
-	useScope := providerConf.ScopeFieldName != "" && providerConf.ScopeToPolicyMapping != nil
+	useScope := len(k.Spec.JWTScopeToPolicyMapping) != 0
 
 	k.lock.RLock()
 	clientSet, foundIssuer := k.provider_client_policymap[iss.(string)]
@@ -182,9 +168,14 @@ func (k *OpenIDMW) ProcessRequest(w http.ResponseWriter, r *http.Request, _ inte
 	if !useScope {
 		policiesToApply = append(policiesToApply, policyID)
 	} else {
-		if scope := getScopeFromClaim(token.Claims.(jwt.MapClaims), providerConf.ScopeFieldName); scope != nil {
+		scopeClaimName := k.Spec.JWTScopeClaimName
+		if scopeClaimName == "" {
+			scopeClaimName = "scope"
+		}
+
+		if scope := getScopeFromClaim(token.Claims.(jwt.MapClaims), scopeClaimName); scope != nil {
 			// add all policies matched from scope-policy mapping
-			policiesToApply = mapScopeToPolicies(providerConf.ScopeToPolicyMapping, scope)
+			policiesToApply = mapScopeToPolicies(k.Spec.JWTScopeToPolicyMapping, scope)
 		}
 	}