You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I think I figured it out, using a custom Authorizer. You still need to disable the audience claim check when decoding the JWT, but then the Authorizer will check the principal's tenant ID based on the path. Let me know if anyone has any feedback.
typeTenantAuthorizerstruct {
}
funcNewTenantAuthorizer() *TenantAuthorizer {
return&TenantAuthorizer{}
}
func (aTenantAuthorizer) Authorize(req*http.Request, pinterface{}) error {
// cast principal to correct typevarprincipal*models.Principalvarokboolifprincipal, ok=p.(*models.Principal); !ok {
returnerrors.New("invalid principal, expected model.Principal type")
}
// TODO: if principal has SYSTEM/SERVICE scopes then return nil// use regex to get tenantID from `req.URL.Path`// NOTE: all paths must follow the same convention e.g. /tenants/:tenantIDtenantID:=getTenantIDFromRequest(req)
ifprincipal.TenantID!=tenantID {
returnerrors.New("not authenticated")
}
returnnil
}
And in configuration file:
api.APIAuthorizer=auth.NewTenantAuthorizer()
api.OauthSecurityAuth=func(tokenstring, scopes []string) (*models.Principal, error) {
// decode JWT, disable audience claim verification, and return principal
}
In a multi-tenant application, I need the
tenant_id
from the path to verify the JWT'saudience
claim. What would the best approach to do this be?Here's what I do now:
/tenants/{tenant_id}/users
api.OauthSecurityAuth
decodes the token without verifying the audience claim.What would the best approach be to apply that at a higher level to all routes?
The text was updated successfully, but these errors were encountered: