Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JWT scope-policy mapping support added #1943

Merged
merged 3 commits into from
Dec 6, 2018
Merged

JWT scope-policy mapping support added #1943

merged 3 commits into from
Dec 6, 2018

Conversation

dencoded
Copy link
Contributor

@dencoded dencoded commented Oct 23, 2018

added changes for #1834

for JWT middle-ware:

  1. There is a new field jwt_scope_to_policy_mapping in API definition (payload in endpoint to create API as well) - which is just mapping scope-to-policy_id
  2. If this field is present then session key associated with the given JWT will be assigned to several policies using provided mapping
  3. base-policy JWT claim logic still works for backward compatibility
  4. policies mapped to JWT scope should follow recently implemented rules around per_api partitions flag - they shouldn't have the same API id in ACL and might specify limit on API level per API in ACL

for open ID middle-ware:

  1. the idea is that UI will provide choice to user in dialog where we setup issuer/provider - use old implementation with client_id->policy_id pair Or use mapping scope->policy (but not both)
  2. if use mapping scope->policy selected we ask values for two new fields scope_field_name and scope_to_policy_mapping
  3. on tyk side - if scope_field_name and scope_to_policy_mapping are populated it acts as a trigger to use new logic for scope->policy mapping, if those fields are empty it tries to use old logic with client_id->policy_id pair
  4. policies mapped to JWT scope should follow recently implemented rules around per_api partitions flag - they shouldn't have the same API id in ACL and might specify limit on API level per API in ACL

We should also re-vendor tyk/apidef in dashboard (new fields) if we go forward with that approach

dencoded and others added 2 commits December 6, 2018 10:09
openID mw changed to use scope-policy mapping from claim
@buger buger merged commit f47bc6c into master Dec 6, 2018
@buger buger deleted the scope-policy-mapping branch December 6, 2018 11:28
buger added a commit that referenced this pull request Dec 20, 2018
The main intent that it probably will be too complex, especially from UI point of view. Lets start with defining same mapping for all clients. As a bonus, all fields shared with JWT middleware.

Also, JWT middleware scope name made configurable using `JWTScopeClaimName`

Plus empty map check now use: `len` instead of nil, to support empty maps.

Updates #1943 and #1834
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants