Validating groups claim

[mipnw]

Hi,

I cannot find an API in this library for validating a groups claim.

https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/ documents how to return "groups" scopes.

An application that wants to authorize requests based on user's group membership must request access to the "groups" scope, and upon receiving the access token, confirm the user is a member of a given group.

E.g. "authorizing users members of Group2"

The application configures the scopes to request "groups":

config := oauth2.Config{
   Scopes:       []string{"openid", "groups"},
   ...
}

upon completion of an authorization code flow, it has an access token that looks something like

"aud": "api://default",
"cid": "<CLIENT_ID>",
"groups": [
    "Group1",
    "Group3",
    "Everyone"
  ]

It validates that access token using this library's JwtVerifier.VerifyAccessToken()
We still need an API to confirm existence of "Group2" in the groups. In this example the access token does not have that, the user is member of other groups, and authorization would fail.

[marmold]

If i am not mistaken, this package do not provide a way to validate such a claim out of the box (Can someone more expariance then me confirm that?). I think the only way to provide such validation is to add a new function, for example: validateScp, or validateGroup that will add such ability.

Maybe a way to go is to add some mechanism to let define a function in some struct that will perofrm the logic for custom claim?

[marmold]

I made a simple change what i had in mind for test purposes: https://github.com/Powa458/okta-jwt-verifier-golang/releases/tag/v1.0.1

@bretterer @monde Can we add similar functionality or at least expand current check in access token for optional scp and group claims?

[towens]

The scope is accessible from the JWT.

building upon https://github.com/okta/okta-jwt-verifier-golang#access-token-validation

jwt, err := jv.New().VerifyAccessToken(oktaToken)

// get the scope
iface := jwt.Claims["scp"]
str := fmt.Sprintf("%v", iface)
scope := strings.Trim(str, "[]") // just one scope here, alter as necessary.

if scope != SOME_SCOPE {
        err = errors.New("invalid scope")
}

return err

[monde]

@Powa458 does @towens example perform the action you are looking for?

[Sovietaced]

Just worked through this myself.

groups := []string{}
groupIntfSlice, ok := jwt.Claims["groups"].([]interface{})
if !ok {
// log
} else {
  for _, groupIntf := range groupIntfSlice {
    group, ok := groupIntf.(string)
    if !ok {
      // log
      continue
    }
    groups = append(groups, group)
  }
}

// your validation here

[dbellinghoven]

I ended up deciding to write my own Golang Okta JWT verifier library that's similar to this one (but with a slightly different interface) which will support this kind of validation (link). Using my library you can achieve the same behavior as VerifyAccessToken but also validate the groups claim in the manner you described at the same time.

import (
    "context"

    verifier "github.com/dbellinghoven/okta-jwt-verifier"
)

func main() {
    v := verifier.New("https://issuer.com")

    token, err := v.ParseAndVerify(
        ctx,
        "${JWT}",
        v.WithIssuerRule(),
        verifier.WithAudienceRule("api://default"),
        verifier.WithClientIDRule("<CLIENT_ID>"),
        verifier.WithCustomClaimContainsRule("groups", []string{"Group2"}),
    )
    // ...
}

[towens]

I would recommend the following vs. writing your own pkg.
https://github.com/golang-jwt/jwt
Combined with below depending on your needs.
https://github.com/MicahParks/keyfunc