%%%----------------------------------------------------------------------
check_jwt_token(User, Server, Token) ->
JWK = ejabberd_option:jwt_key(Server),
+ JidField = ejabberd_option:jwt_jid_field(Server),
try jose_jwt:verify(JWK, Token) of
{true, {jose_jwt, Fields}, Signature} ->
?DEBUG("jwt verify: ~p - ~p~n", [Fields, Signature]),
Now = erlang:system_time(second),
if
Exp > Now ->
- case maps:find(<<"jid">>, Fields) of
+ case maps:find(JidField, Fields) of
error ->
false;
{ok, SJID} ->
false
end.
-%% TODO: auth0 username is defined in 'jid' field, but we should
-%% allow customizing the name of the field containing the username
-%% to adapt to custom claims.
-export([hosts/0]).
-export([include_config_file/0, include_config_file/1]).
-export([jwt_auth_only_rule/0, jwt_auth_only_rule/1]).
+-export([jwt_jid_field/0, jwt_jid_field/1]).
-export([jwt_key/0, jwt_key/1]).
-export([language/0, language/1]).
-export([ldap_backups/0, ldap_backups/1]).
jwt_auth_only_rule(Host) ->
ejabberd_config:get_option({jwt_auth_only_rule, Host}).
+-spec jwt_jid_field() -> binary().
+jwt_jid_field() ->
+ jwt_jid_field(global).
+-spec jwt_jid_field(global | binary()) -> binary().
+jwt_jid_field(Host) ->
+ ejabberd_config:get_option({jwt_jid_field, Host}).
+
-spec jwt_key() -> jose_jwk:key() | 'undefined'.
jwt_key() ->
jwt_key(global).
econf:fail({read_file, Reason, Path})
end
end);
+opt_type(jwt_jid_field) ->
+ econf:binary();
opt_type(jwt_auth_only_rule) ->
econf:atom().
{websocket_ping_interval, timer:seconds(60)},
{websocket_timeout, timer:minutes(5)},
{jwt_key, undefined},
+ {jwt_jid_field, <<"jid">>},
{jwt_auth_only_rule, none}].
-spec globals() -> [atom()].
projects / ejabberd / commitdiff