Extending JWT claims validation to support other claims

[hubodz]

Based on source, I understand only limited number of JWT claims can be validated. Trying to validate other claims result in error unknown_checks. I would like to ask for introducing validation any provided claim.

In my case, I use an SSO of a huge Organisation, where many users can define their own applications/clients (signed with same SSO key). Without validating aud, anyone could create another application with roles that my CouchDB instance accepts.

Desired Behaviour

When provided a config like below, the claim aud should be verified: both if it exists and if it matched provided my-application value.

required_claims = exp, {aud, "my-application"}

I believe it's worth allowing such a validation for any custom claim (only to check existence and value matching, if provided).

Possible Solution

I believe the source should not limit the check only to claims specified in line 45. There could be a function providing a "general" claim check, no matter what it is exactly.

[rnewson]

hm I think a pull request to add aud specifically would be fine (and should be fairly easy). Not sure bespoke checks are a good idea.

[hubodz]

Hey, thanks for your answer. Can you tell me more about why the bespoke checks would be a bad idea (as long as it's a simple string comparison)?

[rnewson]

I wouldn't want to add something to couchdb with potential security risks or introduce any deliberate incompatibility with the JWT spec. Allowing bespoke checks might be safe, but not allowing them definitely is.

[lazedo]

I agree that aud is a good addition, just make sure it can be a string or array of strings as described in RFC7519 for both the value that is being checked as well the value that is configured, ie, also allow these audiences not only this.