Hello,
I would like to know if there is a solution to add verification to more than one audience in VerifyJwt policy ?
I have this tag in the VerifyJWT policy :
<Audience ref="flow.ap.audience"/> and i want to know if the KVM flow.ap.audience could have more than one audience seprated by coma or semicolon, i tried both but it didn't work
i tried even to add another tag <Audience> with another audience but same result, it didn't work
So i would like to know if any solution exists for this case ?
regards,
Solved! Go to Solution.
VerifyJWT will check for ONE audience, in the set of audiences in the JWT.
If you have multiple audiences that you want to check for, then a good way to do that would be to introduce a subsequent check implemented in Javascript.
that logic would check the context variable that the VerifyJWT sets, to hold the actual audience in the payload . Per the documentation, the name of the variable will be
jwt.POLICYNAME.decoded.claim.audience
...where POLICYNAME is the name of your VerifyJWT policy.
So to check an audience in a JavaScript step, you want something like this:
<Javascript name='JS-VerifyAudience'> <Source> var assertedAudiences = JSON.parse(context.getVariable('jwt.VerifyJWT-1.decoded.claim.aud')); var requiredAudiences = ['Audience1', 'Audience2']; var allFound = requiredAudiences.every(function(aud) { return assertedAudiences.indexOf(aud) >= 0; }); if (!allFound) { throw new Error('missing audience'); } </Source> </Javascript>
VerifyJWT will check for ONE audience, in the set of audiences in the JWT.
If you have multiple audiences that you want to check for, then a good way to do that would be to introduce a subsequent check implemented in Javascript.
that logic would check the context variable that the VerifyJWT sets, to hold the actual audience in the payload . Per the documentation, the name of the variable will be
jwt.POLICYNAME.decoded.claim.audience
...where POLICYNAME is the name of your VerifyJWT policy.
So to check an audience in a JavaScript step, you want something like this:
<Javascript name='JS-VerifyAudience'> <Source> var assertedAudiences = JSON.parse(context.getVariable('jwt.VerifyJWT-1.decoded.claim.aud')); var requiredAudiences = ['Audience1', 'Audience2']; var allFound = requiredAudiences.every(function(aud) { return assertedAudiences.indexOf(aud) >= 0; }); if (!allFound) { throw new Error('missing audience'); } </Source> </Javascript>
User | Count |
---|---|
1 | |
1 | |
1 | |
1 | |
1 |