support external jwt claims to be passed downstream

apigee · Jun 10, 2019 · d232ce5 · d232ce5
1 parent 0687d9a
commit d232ce5
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/extauth/README.md b/extauth/README.md
@@ -48,6 +48,8 @@ extauth:
   exp: true # can be true or false, but defaults to true; use true to check for the expiry time and send an error if the token is expired.
   sendErr: true # can be either true or false, but defaults to true; set this to false if you want the extauth plugin to send an error if the JWT is invalid.
   keepAuthHeader: false # can be true or false; default is false; set this to true if you want to pass the Authorization header to the backend.
+  extauth-claims-header: "header to be added with base64 encoded string of claims from authorization bearer jwt payload. Example value: x-extauth-claims" # default null for backward compatibility. When present, jwt payload claims are extracted and added as a request header of this name
+  extauth-exclude-claims: "array of claims to be excluded from extauth-claims-header" # used only when `extauth-claims-header` is set. Example value: ['application_name', 'client_id', 'api_product_list', 'iat', 'exp']
 ```
 
 ## Enable the plugin

diff --git a/extauth/index.js b/extauth/index.js
@@ -3,6 +3,7 @@
  *
  */
 
+var _ = require('lodash');
 var debug = require('debug')('plugin:extauth');
 var request = require('request');
 var rs = require('jsrsasign');
@@ -28,7 +29,11 @@ module.exports.init = function(config, logger, stats) {
     var sendErr = config.hasOwnProperty("sendErr") ? config.sendErr : true;
     //preserve or delete the auth header
     var keepAuthHeader = config.hasOwnProperty('keep-authorization-header') ? config['keep-authorization-header'] : false;
-
+    //extracts jwt claims from header authorization bearer jwt and adds them in a new header x-extauth-claims (default null for backward compatibility)
+    var extauthClaimsHeader = config.hasOwnProperty('extauth-claims-header') ? config['extauth-claims-header'] : null;
+    //sensitive claims to be omitted from extauth claims header, if enabled
+    var PRIVATE_JWT_VALUES = config.hasOwnProperty('extauth-exclude-claims') ? config['extauth-exclude-claims'] : ['application_name', 'client_id', 'api_product_list', 'iat', 'exp'];
+
     if (iss) {
         debug("Issuer " + iss);
         acceptField.iss = [];
@@ -107,6 +112,10 @@ module.exports.init = function(config, logger, stats) {
                             debug("key type is PEM");
                             isValid = validateJWT(publickeys, jwtpayload[1], exp);
                             if (isValid) {
+                                if(extauthClaimsHeader) {
+                                    var authClaims = _.omit(jwtdecode.payloadObj, PRIVATE_JWT_VALUES);
+                                    req.headers[extauthClaimsHeader] = new Buffer(JSON.stringify(authClaims)).toString('base64');
+                                }
                                 if (!keepAuthHeader) {
                                     delete(req.headers['authorization']);
                                 }
@@ -145,6 +154,10 @@ module.exports.init = function(config, logger, stats) {
                                 isValid = validateJWT(pem, jwtpayload[1], exp);
                                 if (isValid) {
                                     debug("JWT is valid");
+                                    if(extauthClaimsHeader) {
+                                        var authClaims = _.omit(jwtdecode.payloadObj, PRIVATE_JWT_VALUES);
+                                        req.headers[extauthClaimsHeader] = new Buffer(JSON.stringify(authClaims)).toString('base64');
+                                    }
                                     if (!keepAuthHeader) {
                                         delete(req.headers['authorization']);
                                     }