flagr icon indicating copy to clipboard operation
flagr copied to clipboard

Published 20 hours ago verified publisher icon openflagr

Match on JWTAuthUserClaim as constraint property

Open alangibson-philips opened this issue 4 years ago • 2 comments

Expected Behavior

I should be able to create a condition to select for the value of the JWTAuthUserClaim in the provided JWT. For example, given a JWT provided in the Authorization header and a JWTAuthUserClaim setting of 'sub', I should be able to create a condition like sub == [email protected].

Current Behavior

Not sure if this is even supported as I can't find a reference in the docs.

Possible Solution

Always provide the value of JWTAuthUserClaim as a property, and the value of JWTAuthUserClaim in the JWT as a value, for constraints.

Context

I request /api/v1/evaluation and supply in the Authorization header a JWT where sub is equal to [email protected]. I would like to be able to create a condition where I can match on that specific user, hopefully be creating a condition like sub == [email protected]

Your Environment

Self hosted. Flagr version is 1.1.4.

alangibson-philips avatar Apr 02 '20 14:04 alangibson-philips

Hi @alangibson-philips I think this is more like authorization than the JWT authentication to flagr.

Currently we don't have authorization implemented in flagr, it only verifies that if the JWT token is issued with the signing secrets or not. Every company does the authorization a little bit differently, I think for your case, for example, you can only issue your token to the users if sub == [email protected] with a unique secret that can be used by flagr.

To solve authorization in flagr, I think if I have time, I may want to implement the oidc/sso type of login in the future.

zhouzhuojie avatar Apr 07 '20 17:04 zhouzhuojie

Hi @zhouzhuojie. All I'm really trying to accomplish is, for example, enable a feature flag for the user where sub == [email protected] and disable it for everyone else. We're already doing login and JWT token issuing ourselves in another service.

In order to do this though, we need to be able to create a condition that includes an expression including sub. Is sub (or whatever you have set in JWTAuthUserClaim) not available in condition expressions?

alangibson-philips avatar Apr 08 '20 06:04 alangibson-philips

Stale issue message

github-actions[bot] avatar Aug 26 '22 21:08 github-actions[bot]