authorization: add ability to set additional variables that are set by the jwt token (#3)

* authorization: add ability to set additional variables that are set by the jwt token

Author: BojanZelic

README.md

@@ -25,7 +25,7 @@ sudo cp haproxy-cloudflare-jwt-validator/src/* /usr/local/share/lua/5.3
 
 # Version
 
-0.1.0
+0.2.0
 
 # Usage
 

example/haproxy/haproxy.cfg

@@ -35,6 +35,7 @@ backend http-backend
   http-request set-var(txn.audience) str("1234567890abcde1234567890abcde1234567890abcde")
   http-request lua.jwtverify
   http-request deny unless { var(txn.authorized) -m bool }
+  http-request set-header custom-groups %[var(txn.http___schemas_groups)]
   server debug_http_listener debug_http_listener:80 check
 
 backend cloudflare_jwt

example/jwt_test.sh

@@ -30,7 +30,14 @@ CLAIM='{
   "exp": 3993204858,
   "type": "app",
   "identity_nonce": "11111111111",
-  "custom": {}
+  "custom": {
+    "http://schemas/groups": [
+      "application_admin",
+      "application_group1",
+      "application_group2",
+      "application_group3"
+    ]
+  }
 }'
 
 while ! nc -z localhost 8080; do

src/jwtverify.lua

@@ -278,6 +278,20 @@ function jwtverify(txn)
         goto out
     end
 
+    -- 7. Add custom values from payload to variable
+    if token.payloaddecoded.custom ~= nil then
+        for name, payload in pairs(token.payloaddecoded.custom) do
+            local clean_name = name:gsub("%W","_")
+            local clean_value = payload
+            if (type(payload) == 'table') then
+                clean_value = table.concat(payload, ',')
+            end
+
+            txn.set_var(txn, "txn."..clean_name, clean_value)
+            log_debug("txn."..clean_name.." is defined from payload")
+        end
+    end
+
     -- 8. Set authorized variable
     log_debug("req.authorized = true")
     txn.set_var(txn, "txn.authorized", true)