AuxData for filling Principal.roles? #1576
-
Hi, My IdP is Keycloak and the realm roles are within the JWT below
Right now I am extracting the roles like this:
I would like to use Any suggestions? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
If I understand your question correctly, you want the Cerbos SDK to give you back the parsed JWT claims? I am afraid that's not possible because the JWT parsing happens at the server side. You'll have to parse the token yourself if you want to access the claims on the client side. You can access the JWT claims directly from Cerbos policy rules so if you only have a handful of roles, you could create Cerbos derived roles that are activated based on the value of the Because Cerbos expects every principal to have a role, just send a dummy value for the role in your request. The real roles are then derived from the JWT. ---
apiVersion: "api.cerbos.dev/v1"
derivedRoles:
name: realm_roles
definitions:
- name: owner
parentRoles: ["user"] # You can mark all your principals as having this dummy role
condition:
match:
expr: |-
"owner" in request.aux_data.jwt.realm_access |
Beta Was this translation helpful? Give feedback.
If I understand your question correctly, you want the Cerbos SDK to give you back the parsed JWT claims? I am afraid that's not possible because the JWT parsing happens at the server side. You'll have to parse the token yourself if you want to access the claims on the client side.
You can access the JWT claims directly from Cerbos policy rules so if you only have a handful of roles, you could create Cerbos derived roles that are activated based on the value of the
realm_access
claim and use those instead.Because Cerbos expects every principal to have a role, just send a dummy value for the role in your request. The real roles are then derived from the JWT.