On 22/08/2022 14:32 EEST Felix Auringer felix.auringer@giz.berlin wrote:
On 8/22/22 10:14, Aki Tuomi wrote:
Hi!
You need to export them in passdb. You can do
userdb_some_field=%{oauth2:some_field}.That is exactly what I have been looking for, thank you! Is it also possible to extract arrays and objects from the token with this syntax? For example, I tried to save
allowed-originswhich is a list of strings but the field in the userdb was empty (but present). However, the field was processed according to the logs.
Currently the support is very limited. You can extract strings and numbers from a flat object.
Furthermore, it seems that only keys that have a string or an array value are processed, so it may not even be possible to extract a parent object. For a structure like this:
{ "azp": "roundcube-test", "realm_access": { "roles": [...] }, "resource_access": { "realm-management": { "roles": [...] }, "account": { "roles": [...] } } }the log only shows:
auth: Debug: oauth2(...): Processing field azp auth: Debug: oauth2(...): Processing field roles
auth: Debug: oauth2(...): Processing field roles
auth: Debug: oauth2(...): Processing field roles
It also doesn't work to extract the whole token with
userdb_token=%{oauth2:access_token}(this syntax however works for proxy authentication). Otherwise, I could just save the whole token in the user database.
You should be able to extract the whole access token like that, although I didn't say in my previous mail that the %{oauth2:} is valid only within the oauth2 passdb currently.
Additionally, the user's token is available as %w / %{password} on all passdbs. The best way I can think of right now is to use Lua passdb to complex token handling.
Is there some syntax I did not find in the documentation that would enable me to extract either the whole token or a whole JSON object / array?
Best regards, Felix
Aki