New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
On richer custom claim values #2641
Comments
I temporarily tweaked claim value regexp check and the resulting token reads:
which is indeed not what expected. May be we could have "json" join type which collects custom claims to object-like token claim? Still, I leave the issue for at least discussion purpose. |
Okay, after reviewing the oauth2 rfc, oauth2 token introspection rfc and openid connect specification, none of them apply restrictions to the claim values. This means we are free to expand this. However, I do want to continue to be conservative for the moment in what we allow in claim values, as I could forsee low-quality client applications being vulnerable to issues if we were to allow full character sets in the values. For now I think we expand this a little, and allow future changes potentially. Small steps. |
@dvv What changes to the claim value regex are you considering? |
I would like to test the following cases:
UPD: so I think the procedure is: i) interpolate the value; ii) check if resulting value parses as a JSON object? yes -> stuff it in the claims as object; no -> stuff it as string. TIA |
I'd support adding a "JSON" claim type, and only accept it if it's valid JSON object on the way in. That should constrain issues, at least. |
When I say "interpolation" I mean lazy one.
|
Runtime interpolation/templating of claims gets into a huge space for security and other bugs, that's something likely to be FAR in the future unless someone provides a very well thought out design and implementation. |
I'd limit templating to definitely safe |
I'm not adding templating, so don't get ahead of yourself. For now I'll allow the current rules around string OR valid json up to a maximum size. But I need time to implement it, which I am eternally short on. |
Hi!
I'm exploring the ability to generate tokens with richer custom claims.
Say, I would like for app to define sub's access to a mercure hub:
Today it's not possible to collect object-like claims. And if I go with
kanidm system oauth2 update-claim-map app claim group '{"x":"y"}'
the value is rejected due to OAUTHSCOPE_RE regex applied to the claim value.First, I wonder if it's worth for rules on claim values to be relaxed?
Second, will it be possible to introduce kinda basic template expansion for claim values so that the following worked:
TIA
The text was updated successfully, but these errors were encountered: