Escaping authorization claims

[ad8lmondy]

Hello,

I've got an id_token like this:

{
  "sub": "auth0|634a06d5eabbfc3d62e6021c",
  "nickname": "xyz.abc",
  "name": "xyz.abc@company.com",
  "updated_at": "2022-11-03T02:48:42.343Z",
  "email": "xyz.abc@company.com",
  "email_verified": false,
  "https://company.com/roles": [],
  "https://company.com/productAccess": [
    "snake2",
    "snake2ref",
    "fxt"
  ],
  "iss": "https://comp-dev.au.auth0.com/",
  "aud": "1QomogghHl85sRyfjgaiOFvoOVodISWmr",
  "iat": 1667433828,
  "exp": 1667474328,
  "sid": "Swz_rXJO8nTOJWKDtFW8SNdWdceYi5",
  "nonce": "N_7HweD3JH3lO8Av8jt81SDSDEWM1EvzFKCCwGldg"
}

and I tried to do a Require claim as such:

    <Location /prodaccess>
       AuthType openid-connect
       Require claim "https://company.com/productAccess":snake2
    </Location>

but it doesn't seem to work. I've attached the logs for it as a file:
debug.log

For the claim, I have tried:

• "https://company.com/productAccess":snake2
• https://company.com/productAccess:snake2
• https\://company\.com/productAccess:snake2

And so far, no luck.

Having a look in the code, perhaps here: https://github.com/zmartzone/mod_auth_openidc/blob/5533e5edf5d879404ce98f2e60fcc71a270d5b68/src/authz.c#L215 it looks like the colon in http:// is not helping things, and perhaps the . will cause issues too.

When I try the same code, but changing the id_token to have company/productAccess, with the same list values, I am able to get the Require claim company/productAccess:snake2 to work.

If my guess of the issue is correct, is there a way to escape the key values from the id_token?

My versions of things:

• Apache 2.4.54-1~deb11u1 on Bullseye
• libapache2-mod-auth-openidc_2.4.12-1.bullseye+1_amd64

[ad8lmondy]

Just to add some context of why our id_token has a full URL as a key: https://auth0.com/docs/secure/tokens/json-web-tokens/create-custom-claims#namespaced-guidelines - that's what Auth0 recommends.

[zandbelt]

Require claim https://company.com/productAccess:snake2

should just work, see also 1302054

can you try and send the debug log for that?

[ad8lmondy]

Uh... looks like you're correct - it does work!
I'm sure I tested it before, but I must have had something else wrong.

Thanks, and sorry for the time taken!