Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow more robust JWT enrichment #29

Open
com4 opened this issue Dec 23, 2020 · 0 comments · May be fixed by #30
Open

Allow more robust JWT enrichment #29

com4 opened this issue Dec 23, 2020 · 0 comments · May be fixed by #30

Comments

@com4
Copy link
Contributor

com4 commented Dec 23, 2020
edited
Loading

I would like a way to make a more robust JWT modeling some of the claims after OIDC (though not completely compliant). To do this I need access to user information. Currently the token_enricher function is passed only the request object but it doesn't contain any user information since the user is not logged in.

I propose passing all known information to the token_enricher function and letting the user decide exactly what's included in the token. For example:

payload_enricher = getattr(settings, 'JWT_PAYLOAD_ENRICHER', None)
if payload_enricher:
    fn = import_string(payload_enricher)
    enriched_data = fn(
        request=request,
        token_content=content,
        token_obj=token,
        current_claims=extra_data)

    if getattr(settings, 'JWT_PAYLOAD_ENRICHER_OVERWRITE', False):
        extra_data = enriched_data
    else:
        extra_data.update(enriched_data)

This would allow for user functions that look more like this:

# myproject/myapp/jwt_utils.py

def payload_enricher(**kwargs):
    # Keyword Args: request, token_content, token_obj, current_claims

    # The Django HTTPRequest object
    request = kwargs.pop('request', None)

    # Dictionary of the content of the Oauth response. Includes values like
    # access_token, expires_in, token_type, refresh_token, scope
    content = kwargs.pop('token_content', None)

    # The oauth2_provider access token (by default:
    # oauth2_provider.models.AccessToken)
    token = kwargs.pop('token_obj', None)

    # The automatically generated claims. This usually includes your
    # JWT_ID_ATTRIBUTE and scope. This can be useful if you want to use
    # JWT_PAYLOAD_ENRICHER_OVERWRITE mode.
    current_claims = kwargs.pop('current_claims', None)

    # Values returned here must be serializable by json.dumps
    return {
        'sub': token.user.pk,
        'preferred_username': token.user.username,
        ...
    }

This implementation "works for me" but it may break backward compatibility with existing enrichment functions that accept a single named parameter (this should be fixed in the future by updating the documentation to accept **kwargs as in the above example).

I've opened a pull request (#30) if this is something others would find value in.
com4 added a commit to com4/django-oauth-toolkit-jwt that referenced this issue Dec 23, 2020
@com4
Add additional parameters to jwt enrichment call
68da956 
- Adds Oauth token `content`, oauth2_provider's `token_obj` model, and
  django-oauth-toolkit-jwt's `current_claims` as parameters to
  `JWT_PAYLOAD_ENRICHER`. This will give the user more control over the
  data that is included in their JWT
- Add `JWT_PAYLOAD_ENRICHER_OVERWRITE` setting (default is
  False). Setting this to true will allow the user total control over
  the claims included.

Fixes humanitec#29
com4 added a commit to com4/django-oauth-toolkit-jwt that referenced this issue Dec 23, 2020
@com4
Add additional parameters to jwt enrichment call
2ef8352 
- Adds Oauth token `content`, oauth2_provider's `token_obj` model, and
  django-oauth-toolkit-jwt's `current_claims` as parameters to
  `JWT_PAYLOAD_ENRICHER`. This will give the user more control over the
  data that is included in their JWT
- Add `JWT_PAYLOAD_ENRICHER_OVERWRITE` setting (default is
  False). Setting this to true will allow the user total control over
  the claims included.

Fixes humanitec#29
@com4 com4 linked a pull request Dec 23, 2020 that will close this issue
Open
com4 added a commit to com4/django-oauth-toolkit-jwt that referenced this issue Jan 8, 2021
@com4
Add additional parameters to jwt enrichment call
ab46e22 
- Adds Oauth token `content`, oauth2_provider's `token_obj` model, and
  django-oauth-toolkit-jwt's `current_claims` as parameters to
  `JWT_PAYLOAD_ENRICHER`. This will give the user more control over the
  data that is included in their JWT
- Add `JWT_PAYLOAD_ENRICHER_OVERWRITE` setting (default is
  False). Setting this to true will allow the user total control over
  the claims included.

Fixes humanitec#29
com4 added a commit to com4/django-oauth-toolkit-jwt that referenced this issue Jan 8, 2021
@com4
Add additional parameters to jwt enrichment call
31d682b 
- Adds Oauth token `content`, oauth2_provider's `token_obj` model, and
  django-oauth-toolkit-jwt's `current_claims` as parameters to
  `JWT_PAYLOAD_ENRICHER`. This will give the user more control over the
  data that is included in their JWT
- Add `JWT_PAYLOAD_ENRICHER_OVERWRITE` setting (default is
  False). Setting this to true will allow the user total control over
  the claims included.

Fixes humanitec#29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@com4