Expose roles and username claims via js_var from auth-access

conf/auth-access.conf

@@ -1,3 +1,7 @@
+# These variables are set by the auth-access handler.
+js_var $oidc_jwt_claim_roles;
+js_var $oidc_jwt_claim_username;
+
 auth_request /-/internal/auth-access;
 auth_request_set $auth_cookie $sent_http_set_cookie;
 auth_request_set $auth_error $sent_http_x_error;

src/handlers/auth-access.ts

@@ -1,7 +1,7 @@
-import type { RequestHandler } from '..'
+import type { Context, RequestHandler } from '..'
 import { authorizeAccess, isAnonymousAllowed } from '../access'
 import { Cookie, Session } from '../constants'
-import { decodeAndValidateIdToken } from '../jwt'
+import { IdToken, decodeAndValidateIdToken } from '../jwt'
 import { refreshTokens } from '../oauth'
 
 
@@ -18,6 +18,7 @@ export const auth_access: RequestHandler = async (ctx) => {
       vars[Session.IdToken] = undefined
     })
     if (idToken) {
+      exposeClaims(ctx, idToken)
       return authorizeAccess(ctx, idToken, conf)
     }
   }
@@ -27,6 +28,7 @@ export const auth_access: RequestHandler = async (ctx) => {
     log.info?.(`authorize: refreshing token for user ${getCookie(Cookie.Username)}`)
     const { idToken } = await refreshTokens(ctx, refreshToken)
 
+    exposeClaims(ctx, idToken)
     return authorizeAccess(ctx, idToken, conf)
   }
 
@@ -41,3 +43,17 @@ export const auth_access: RequestHandler = async (ctx) => {
     })
   }
 }
+
+function exposeClaims ({ vars }: Context, idToken: IdToken): void {
+  // The following variables must be initialised using `js_var` to be set. If
+  // the variable is not initialised at all, the if condition is false.
+  if ('oidc_jwt_claims' in vars) {
+    vars.oidc_jwt_claims = JSON.stringify(idToken)
+  }
+  if ('oidc_jwt_claim_roles' in vars) {
+    vars.oidc_jwt_claim_roles = idToken.roles.join(' ')
+  }
+  if ('oidc_jwt_claim_username' in vars) {
+    vars.oidc_jwt_claim_username = idToken.username
+  }
+}