[Question] How to get path parameter during authorization? JWT audience claim in path for multi-tenant app #2923
Comments
|
I think I figured it out, using a custom type TenantAuthorizer struct {
}
func NewTenantAuthorizer() *TenantAuthorizer {
return &TenantAuthorizer{}
}
func (a TenantAuthorizer) Authorize(req *http.Request, p interface{}) error {
// cast principal to correct type
var principal *models.Principal
var ok bool
if principal, ok = p.(*models.Principal); !ok {
return errors.New("invalid principal, expected model.Principal type")
}
// TODO: if principal has SYSTEM/SERVICE scopes then return nil
// use regex to get tenantID from `req.URL.Path`
// NOTE: all paths must follow the same convention e.g. /tenants/:tenantID
tenantID := getTenantIDFromRequest(req)
if principal.TenantID != tenantID {
return errors.New("not authenticated")
}
return nil
}And in configuration file: api.APIAuthorizer = auth.NewTenantAuthorizer()
api.OauthSecurityAuth = func(token string, scopes []string) (*models.Principal, error) {
// decode JWT, disable audience claim verification, and return principal
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In a multi-tenant application, I need the
tenant_idfrom the path to verify the JWT'saudienceclaim. What would the best approach to do this be?Here's what I do now:
/tenants/{tenant_id}/usersapi.OauthSecurityAuthdecodes the token without verifying the audience claim.What would the best approach be to apply that at a higher level to all routes?
The text was updated successfully, but these errors were encountered: