allow wildcard in token issuer verification
This commit is contained in:
parent
2a01d3550c
commit
9742e90bb5
|
@ -142,40 +142,44 @@ function Util:get_public_key(keyId)
|
||||||
end
|
end
|
||||||
|
|
||||||
--- Verifies issuer part of token
|
--- Verifies issuer part of token
|
||||||
-- @param 'iss' claim from the token to verify
|
-- @param 'issClaim' claim from the token to verify
|
||||||
-- @param 'acceptedIssuers' list of issuers to check
|
-- @param 'acceptedIssuers' list of issuers to check
|
||||||
-- @return nil and error string or true for accepted claim
|
-- @return nil and error string or true for accepted claim
|
||||||
function Util:verify_issuer(issClaim, acceptedIssuers)
|
function Util:verify_issuer(issClaim, acceptedIssuers)
|
||||||
if not acceptedIssuers then
|
if not acceptedIssuers then
|
||||||
acceptedIssuers = self.acceptedIssuers
|
acceptedIssuers = self.acceptedIssuers
|
||||||
end
|
end
|
||||||
module:log("debug","verify_issuer claim: %s against accepted: %s",issClaim, acceptedIssuers);
|
module:log("debug", "verify_issuer claim: %s against accepted: %s", issClaim, acceptedIssuers);
|
||||||
for i, iss in ipairs(acceptedIssuers) do
|
for i, iss in ipairs(acceptedIssuers) do
|
||||||
|
if iss == '*' then
|
||||||
|
-- "*" indicates to accept any issuer in the claims so return success
|
||||||
|
return true;
|
||||||
|
end
|
||||||
if issClaim == iss then
|
if issClaim == iss then
|
||||||
--claim matches an accepted issuer so return success
|
-- claim matches an accepted issuer so return success
|
||||||
return true;
|
return true;
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
--if issClaim not found in acceptedIssuers, fail claim
|
-- if issClaim not found in acceptedIssuers, fail claim
|
||||||
return nil, "Invalid issuer ('iss' claim)";
|
return nil, "Invalid issuer ('iss' claim)";
|
||||||
end
|
end
|
||||||
|
|
||||||
--- Verifies audience part of token
|
--- Verifies audience part of token
|
||||||
-- @param 'aud' claim from the token to verify
|
-- @param 'audClaim' claim from the token to verify
|
||||||
-- @return nil and error string or true for accepted claim
|
-- @return nil and error string or true for accepted claim
|
||||||
function Util:verify_audience(audClaim)
|
function Util:verify_audience(audClaim)
|
||||||
module:log("debug","verify_audience claim: %s against accepted: %s",audClaim, self.acceptedAudiences);
|
module:log("debug", "verify_audience claim: %s against accepted: %s", audClaim, self.acceptedAudiences);
|
||||||
for i, aud in ipairs(self.acceptedAudiences) do
|
for i, aud in ipairs(self.acceptedAudiences) do
|
||||||
if aud == '*' then
|
if aud == '*' then
|
||||||
--* indicates to accept any audience in the claims so return success
|
-- "*" indicates to accept any audience in the claims so return success
|
||||||
return true;
|
return true;
|
||||||
end
|
end
|
||||||
if audClaim == aud then
|
if audClaim == aud then
|
||||||
--claim matches an accepted audience so return success
|
-- claim matches an accepted audience so return success
|
||||||
return true;
|
return true;
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
--if issClaim not found in acceptedIssuers, fail claim
|
-- if audClaim not found in acceptedAudiences, fail claim
|
||||||
return nil, "Invalid audience ('aud' claim)";
|
return nil, "Invalid audience ('aud' claim)";
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue