diff --git a/conf/auth-access.conf b/conf/auth-access.conf index 8879457..2111d59 100644 --- a/conf/auth-access.conf +++ b/conf/auth-access.conf @@ -1,3 +1,7 @@ +# These variables are set by the auth-access handler. +js_var $oidc_jwt_claim_roles; +js_var $oidc_jwt_claim_username; + auth_request /-/internal/auth-access; auth_request_set $auth_cookie $sent_http_set_cookie; auth_request_set $auth_error $sent_http_x_error; diff --git a/src/handlers/auth-access.ts b/src/handlers/auth-access.ts index 9a55e1b..49f6e23 100644 --- a/src/handlers/auth-access.ts +++ b/src/handlers/auth-access.ts @@ -1,7 +1,7 @@ -import type { RequestHandler } from '..' +import type { Context, RequestHandler } from '..' import { authorizeAccess, isAnonymousAllowed } from '../access' import { Cookie, Session } from '../constants' -import { decodeAndValidateIdToken } from '../jwt' +import { IdToken, decodeAndValidateIdToken } from '../jwt' import { refreshTokens } from '../oauth' @@ -18,6 +18,7 @@ export const auth_access: RequestHandler = async (ctx) => { vars[Session.IdToken] = undefined }) if (idToken) { + exposeClaims(ctx, idToken) return authorizeAccess(ctx, idToken, conf) } } @@ -27,6 +28,7 @@ export const auth_access: RequestHandler = async (ctx) => { log.info?.(`authorize: refreshing token for user ${getCookie(Cookie.Username)}`) const { idToken } = await refreshTokens(ctx, refreshToken) + exposeClaims(ctx, idToken) return authorizeAccess(ctx, idToken, conf) } @@ -41,3 +43,17 @@ export const auth_access: RequestHandler = async (ctx) => { }) } } + +function exposeClaims ({ vars }: Context, idToken: IdToken): void { + // The following variables must be initialised using `js_var` to be set. If + // the variable is not initialised at all, the if condition is false. + if ('oidc_jwt_claims' in vars) { + vars.oidc_jwt_claims = JSON.stringify(idToken) + } + if ('oidc_jwt_claim_roles' in vars) { + vars.oidc_jwt_claim_roles = idToken.roles.join(' ') + } + if ('oidc_jwt_claim_username' in vars) { + vars.oidc_jwt_claim_username = idToken.username + } +}