question: issuing custom claims dynamically #68
Comments
@zhirschtritt , thank you for the issue! 👍 What would that endpoint be? My understanding is you want to have a "hook" into an "entitlement" system that would have role (or other info) info. Is that correct? The idea would be that one could have Google, Microsoft, Github, etc. ... however, there will be some other system that would provide the "roles" to the users authenticated with public OAuth services. |
Right, exactly. This way there can be a dynamic list of roles/claims that can be applied per-user without caddy or this plugin having to expose an api or durable storage mechanism for that.
Just a https GET endpoint specified in the config that accepts the jwt retrieved for the user (and probably a secret shared-key in the header that the endpoint can validate) that returns json of the the roles and/or claims for that user. Like: {
"userId": "ddcc63b3-7864-42af-8ecf-9a76d317155e",
"roles": ["admin"]
} |
|
Will call it this new subsystem FYI, I am splitting |
To preface, this is probably a feature request and likely a non-trivial one, but I thought I'd figure out if it's actually a reasonable request.
I would like to use the auth plugin to issue roles based on a call to my backend service or some other shared crud-y resource that caddy can read and my app can update. I want to be able to edit authorized users on the fly and apply roles/custom claims without having to edit the Caddyfile.
I'm guessing this is outside of scope for this project, but wondering what your thoughts are on a feature like this.
Edit: On further reading of other issues, I see I'm not the first person to bring this up. I also see #16 which is related to my request. Here's what I'm imagining a auth flow might look like:
The text was updated successfully, but these errors were encountered: