Create a separate staff schema based on email domain and add support for impersonation header

febus982 · febus982 · commit 17cc2ddbde8d · 2025-01-03T22:47:23.000Z
Signed-off-by: Federico Busetti &lt;729029+febus982@users.noreply.github.com&gt;
diff --git a/.idea/dataSources.xml b/.idea/dataSources.xml
diff --git a/auth_volumes/kratos/identity.schema.json b/auth_volumes/kratos/identity.schema.json
@@ -1,5 +1,4 @@
 {
-  "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
   "$schema": "http://json-schema.org/draft-07/schema#",
   "title": "Person",
   "type": "object",
diff --git a/auth_volumes/kratos/kratos.yml b/auth_volumes/kratos/kratos.yml
@@ -107,8 +107,10 @@ hashers:
     cost: 8
 
 identity:
-  default_schema_id: default
+  default_schema_id: staff
   schemas:
+    - id: staff
+      url: file:///etc/config/kratos/staff.schema.json
     - id: default
       url: file:///etc/config/kratos/identity.schema.json
 
diff --git a/auth_volumes/kratos/staff.schema.json b/auth_volumes/kratos/staff.schema.json
@@ -0,0 +1,49 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "Staff",
+  "type": "object",
+  "properties": {
+    "traits": {
+      "type": "object",
+      "properties": {
+        "email": {
+          "type": "string",
+          "format": "email",
+          "title": "E-Mail",
+          "minLength": 3,
+          "pattern": "^.*@staffdomain\\.com$",
+          "ory.sh/kratos": {
+            "credentials": {
+              "password": {
+                "identifier": true
+              }
+            },
+            "verification": {
+              "via": "email"
+            },
+            "recovery": {
+              "via": "email"
+            }
+          }
+        },
+        "name": {
+          "type": "object",
+          "properties": {
+            "first": {
+              "title": "First Name",
+              "type": "string"
+            },
+            "last": {
+              "title": "Last Name",
+              "type": "string"
+            }
+          }
+        }
+      },
+      "required": [
+        "email"
+      ],
+      "additionalProperties": false
+    }
+  }
+}
diff --git a/auth_volumes/oathkeeper/oathkeeper.yml b/auth_volumes/oathkeeper/oathkeeper.yml
@@ -96,5 +96,10 @@ mutators:
       jwks_url: file:///etc/config/oathkeeper/id_token.jwks.json
       claims: |
         {
+          {{ if eq .Extra.identity.schema_id "staff" }}
+          {{ if .MatchContext.Header.Get "x-impersonate" }}
+          "impersonate": {{ .MatchContext.Header.Get "x-impersonate" | toJson }},
+          {{ end }}
+          {{ end }}
           "session": {{ .Extra | toJson }}
         }

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,4 @@`
`1`	`1`	`{`
`2`		`- "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",`
`3`	`2`	`"$schema": "http://json-schema.org/draft-07/schema#",`
`4`	`3`	`"title": "Person",`
`5`	`4`	`"type": "object",`
Original file line number	Diff line number	Diff line change
`@@ -96,5 +96,10 @@ mutators:`
`96`	`96`	`jwks_url: file:///etc/config/oathkeeper/id_token.jwks.json`
`97`	`97`	`claims: \|`
`98`	`98`	`{`
	`99`	`+ {{ if eq .Extra.identity.schema_id "staff" }}`
	`100`	`+ {{ if .MatchContext.Header.Get "x-impersonate" }}`
	`101`	`+ "impersonate": {{ .MatchContext.Header.Get "x-impersonate" \| toJson }},`
	`102`	`+ {{ end }}`
	`103`	`+ {{ end }}`
`99`	`104`	`"session": {{ .Extra \| toJson }}`
`100`	`105`	`}`