Description
Currently access to service catalogues can only be restricted based on root claims in the JWT. In some cases it would be useful to restrict access based on some nested property in the token.
E.g. we have a custom claim:
{
"custom": {
"custom2": {
"someList": [ "a", "b" ]
}
}
}And would like to restrict access to a catalogue based on the presence of an item in custom.someList (this could be a list of access groups a user is in, for example).
Of course, periods are valid characters in a map key, so some thought will have to be given to how this is handled. In addition, arbitrary amounts of nesting should be supported, and it should not break existing configurations of Onyxia.. Perhaps something similar to this could work:
"restrictions": [
{
"userAttribute": {
"subAttribute": ["custom", "custom2"]
"key": "someList",
"matches": "b"
}
}
]where subAttribute is an ordered list of attributes to traverse through in the JWT. Another way could be to use some nested object,
"restrictions": [
{
"nestedUserAttribute": {
"key": "custom",
"nestedUserAttribute": {
"key": "custom2",
"userAttribute": {
"key": "someList",
"matches": "b"
}
}
}
}
]These are of course just suggestions off the top of my head, there are probably much better ways of solving it 😀