This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Checking Multiple Audience in VerifyJWT policy

Posted on 04-14-2021 12:58 AM
waelamri
New Member
Reply posted on --/--/---- --:-- AM

Hello,

I would like to know if there is a solution to add verification to more than one audience in VerifyJwt policy ?

I have this tag in the VerifyJWT policy :

<Audience ref="flow.ap.audience"/> and i want to know if the KVM flow.ap.audience could have more than one audience seprated by coma or semicolon, i tried both but it didn't work

i tried even to add another tag <Audience> with another audience but same result, it didn't work

So i would like to know if any solution exists for this case ?

regards,

Solved Solved
1 1 358
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

VerifyJWT will check for ONE audience, in the set of audiences in the JWT.

If you have multiple audiences that you want to check for, then a good way to do that would be to introduce a subsequent check implemented in Javascript.

that logic would check the context variable that the VerifyJWT sets, to hold the actual audience in the payload . Per the documentation, the name of the variable will be

jwt.POLICYNAME.decoded.claim.audience

...where POLICYNAME is the name of your VerifyJWT policy.

So to check an audience in a JavaScript step, you want something like this: 

<Javascript name='JS-VerifyAudience'>
  <Source>


var assertedAudiences = JSON.parse(context.getVariable('jwt.VerifyJWT-1.decoded.claim.aud'));
var requiredAudiences = ['Audience1', 'Audience2'];
var allFound = requiredAudiences.every(function(aud) {
  return assertedAudiences.indexOf(aud) >= 0;
});


if (!allFound) {
  throw new Error('missing audience');
}


  </Source>
</Javascript>

View solution in original post

Jump to Solution
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

VerifyJWT will check for ONE audience, in the set of audiences in the JWT.

If you have multiple audiences that you want to check for, then a good way to do that would be to introduce a subsequent check implemented in Javascript.

that logic would check the context variable that the VerifyJWT sets, to hold the actual audience in the payload . Per the documentation, the name of the variable will be

jwt.POLICYNAME.decoded.claim.audience

...where POLICYNAME is the name of your VerifyJWT policy.

So to check an audience in a JavaScript step, you want something like this: 

<Javascript name='JS-VerifyAudience'>
  <Source>


var assertedAudiences = JSON.parse(context.getVariable('jwt.VerifyJWT-1.decoded.claim.aud'));
var requiredAudiences = ['Audience1', 'Audience2'];
var allFound = requiredAudiences.every(function(aud) {
  return assertedAudiences.indexOf(aud) >= 0;
});


if (!allFound) {
  throw new Error('missing audience');
}


  </Source>
</Javascript>
Jump to Solution
0 Likes