Support for matcher on json response body in forward_auth #6914
Description
The forward_auth is versatile support supporting taking authZ decisions based on response headers. Some 3rd party systems provide authorization decisions as Json documents instead of HTTP headers.
The cloudfoundry platform as a service, relies on such mechanism, where it exposes an api endpoint /v3/service_instances/:guid/permission to verify whether the current browser session is authenticated and authorized to perform two static actions: read and manage. This endpoint returns a json payload such as
{
"manage": true,
"read": true
}It would be quite useful if caddy could act as a reverse proxy for web uis that need to only be displayed to authenticated and authorized browser sessions.
See more details in https://docs.cloudfoundry.org/services/dashboard-sso.html#checking-user-permissions
Currently, the forward_auth and reverse_proxy response matchers at https://caddyserver.com/docs/caddyfile/response-matchers include:
- http status
- http headers
It would be useful to have a new response_body_json_matcher reusing most of the current CEL expression matcher such as
{
"expr": "{http.response.body.manage} == true",
"name": "has-manage-permission"
}