Support for nested/multivalued claims #55
Description
Is your feature request related to a problem? Please describe.
The default configuration of e.g. Keycloak represents user roles in the claim realm_access under the nested object roles:
"realm_access": {
"roles": [
"default-roles-aasx-server",
"offline_access",
"uma_authorization",
"<custom-role-i-set-for-a-user>"
]
}
If I understand the current spec correctly, claim values are expected to be single string values that can then be compared to expected values. Hence, I am not able to define an access rule that checks for the <custom-role-i-set-for-a-user> value to be present in the roles array of the realm_access claim.
Describe the solution you'd like
I would like the spec to be extended to suport nested and multivalued claim structures. For the example above, I specifically would like to be able to define an access rule that checks for the <custom-role-i-set-for-a-user> value to be present in the roles array of the realm_access claim.
Accessing a "nested" claim value could be achieved by supporting .-notation, e.g. realm_access.roles which is a pattern I have seen implemented in some places.
Checking multi-valued claims would probably required an additional selector, e.g. $arrayCcontains.
As a result, the desired ACL might look as follows:
{
"ACL": {
"ATTRIBUTES": [
{
"CLAIM": "token:realm_access_roles"
}
],
"RIGHTS": [
"*"
],
"ACCESS": "ALLOW"
},
"OBJECTS": [
{
"ROUTE": "*"
}
],
"FORMULA": {
"$arrayContains": [
{
"$attribute": {
"CLAIM": "token:realm_access_roles"
}
},
{
"$strVal": "<custom-role-i-expect-for-a-user>"
}
]
}
}