AuxData for filling Principal.roles?

[bbodensieck]

Hi,
I am currently playing around with auxData coming from a JWT accessToken.

My IdP is Keycloak and the realm roles are within the JWT below realm_access

...
realm_access: {
  roles: ["user", "admin"]
}
...

Right now I am extracting the roles like this:

Map<String, Object> realmAccess = jwt.getClaimAsMap("realm_access");
        List<String> roles = (List<String>) realmAccess.get("roles");

I would like to use AuxData.withJWT(jwt.getTokenValue()) to extract the roles and to build the Principal object, but I do not know how.

Any suggestions?

[charithe]

If I understand your question correctly, you want the Cerbos SDK to give you back the parsed JWT claims? I am afraid that's not possible because the JWT parsing happens at the server side. You'll have to parse the token yourself if you want to access the claims on the client side.

You can access the JWT claims directly from Cerbos policy rules so if you only have a handful of roles, you could create Cerbos derived roles that are activated based on the value of the realm_access claim and use those instead.

Because Cerbos expects every principal to have a role, just send a dummy value for the role in your request. The real roles are then derived from the JWT.

---
apiVersion: "api.cerbos.dev/v1"
derivedRoles:
  name: realm_roles
  definitions:
    - name: owner 
      parentRoles: ["user"] # You can mark all your principals as having this dummy role 
      condition:
        match:
          expr: |-
            "owner" in request.aux_data.jwt.realm_access

[bbodensieck]

I just added .roles to the expression you suggested and it works.

---
apiVersion: "api.cerbos.dev/v1"
derivedRoles:
  name: realm_roles
  definitions:
    - name: owner
      parentRoles: ["user"]
      condition:
        match:
          expr: |-
            "owner" in request.aux_data.jwt.realm_access.roles

Thank you so much 👍