Feature: add custom id claim (#667)

This feature allows using the custom claim in the JWT token as a user ID. Refactor claims extractor with options support Add is_current to the user API response
2026-04-18 08:16:39 +00:00 · 2023-02-04 00:47:20 +04:00
parent 494e56d1be
commit 3ec8274b8e
32 changed files with 474 additions and 305 deletions
--- a/management/server/http/middleware/access_control.go
+++ b/management/server/http/middleware/access_control.go
@@ -1,9 +1,10 @@
 package middleware

 import (
+	"net/http"
+
 	"github.com/netbirdio/netbird/management/server/http/util"
 	"github.com/netbirdio/netbird/management/server/status"
-	"net/http"

 	"github.com/netbirdio/netbird/management/server/jwtclaims"
 )
@@ -12,17 +13,18 @@ type IsUserAdminFunc func(claims jwtclaims.AuthorizationClaims) (bool, error)

 // AccessControl middleware to restrict to make POST/PUT/DELETE requests by admin only
 type AccessControl struct {
-	jwtExtractor jwtclaims.ClaimsExtractor
-	isUserAdmin  IsUserAdminFunc
-	audience     string
+	isUserAdmin   IsUserAdminFunc
+	claimsExtract jwtclaims.ClaimsExtractor
 }

 // NewAccessControl instance constructor
-func NewAccessControl(audience string, isUserAdmin IsUserAdminFunc) *AccessControl {
+func NewAccessControl(audience, userIDClaim string, isUserAdmin IsUserAdminFunc) *AccessControl {
 	return &AccessControl{
-		isUserAdmin:  isUserAdmin,
-		audience:     audience,
-		jwtExtractor: *jwtclaims.NewClaimsExtractor(nil),
+		isUserAdmin: isUserAdmin,
+		claimsExtract: *jwtclaims.NewClaimsExtractor(
+			jwtclaims.WithAudience(audience),
+			jwtclaims.WithUserIDClaim(userIDClaim),
+		),
 	}
 }

@@ -30,9 +32,9 @@ func NewAccessControl(audience string, isUserAdmin IsUserAdminFunc) *AccessContr
 // It also adds
 func (a *AccessControl) Handler(h http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		jwtClaims := a.jwtExtractor.ExtractClaimsFromRequestContext(r, a.audience)
+		claims := a.claimsExtract.FromRequestContext(r)

-		ok, err := a.isUserAdmin(jwtClaims)
+		ok, err := a.isUserAdmin(claims)
 		if err != nil {
 			util.WriteError(status.Errorf(status.Unauthorized, "invalid JWT"), w)
 			return
@@ -40,7 +42,6 @@ func (a *AccessControl) Handler(h http.Handler) http.Handler {

 		if !ok {
 			switch r.Method {
-
 			case http.MethodDelete, http.MethodPost, http.MethodPatch, http.MethodPut:
 				util.WriteError(status.Errorf(status.PermissionDenied, "only admin can perform this operation"), w)
 				return
--- a/management/server/http/middleware/handler.go
+++ b/management/server/http/middleware/handler.go
@@ -10,10 +10,11 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
-	"github.com/golang-jwt/jwt"
-	log "github.com/sirupsen/logrus"
 	"math/big"
 	"net/http"
+
+	"github.com/golang-jwt/jwt"
+	log "github.com/sirupsen/logrus"
 )

 // Jwks is a collection of JSONWebKey obtained from Config.HttpServerConfig.AuthKeysLocation
@@ -33,7 +34,6 @@ type JSONWebKey struct {

 // NewJwtMiddleware creates new middleware to verify the JWT token sent via Authorization header
 func NewJwtMiddleware(issuer string, audience string, keysLocation string) (*JWTMiddleware, error) {
-
 	keys, err := getPemKeys(keysLocation)
 	if err != nil {
 		return nil, err
@@ -67,13 +67,12 @@ func NewJwtMiddleware(issuer string, audience string, keysLocation string) (*JWT

 func getPemKeys(keysLocation string) (*Jwks, error) {
 	resp, err := http.Get(keysLocation)
-
 	if err != nil {
 		return nil, err
 	}
 	defer resp.Body.Close()

-	var jwks = &Jwks{}
+	jwks := &Jwks{}
 	err = json.NewDecoder(resp.Body).Decode(jwks)
 	if err != nil {
 		return jwks, err