> On 22/08/2022 14:32 EEST Felix Auringer <felix.auringer@giz.berlin> wrote: > > > On 8/22/22 10:14, Aki Tuomi wrote: > > Hi! > > > > You need to export them in passdb. You can do > > `userdb_some_field=%{oauth2:some_field}`. > > That is exactly what I have been looking for, thank you! Is it also > possible to extract arrays and objects from the token with this syntax? > For example, I tried to save `allowed-origins` which is a list of > strings but the field in the userdb was empty (but present). However, > the field was processed according to the logs. >
Currently the support is very limited. You can extract strings and numbers from a flat object. > Furthermore, it seems that only keys that have a string or an array > value are processed, so it may not even be possible to extract a parent > object. For a structure like this: > > ``` > { > "azp": "roundcube-test", > "realm_access": { > "roles": [...] > }, > "resource_access": { > "realm-management": { > "roles": [...] > }, > "account": { > "roles": [...] > } > } > } > ``` > > the log only shows: > > auth: Debug: oauth2(...): Processing field azp > auth: Debug: oauth2(...): Processing field roles > > auth: Debug: oauth2(...): Processing field roles > > auth: Debug: oauth2(...): Processing field roles > > It also doesn't work to extract the whole token with > `userdb_token=%{oauth2:access_token}` (this syntax however works for > proxy authentication). Otherwise, I could just save the whole token in > the user database. > You should be able to extract the whole access token like that, although I didn't say in my previous mail that the %{oauth2:} is valid only within the oauth2 passdb currently. Additionally, the user's token is available as %w / %{password} on all passdbs. The best way I can think of right now is to use Lua passdb to complex token handling. > Is there some syntax I did not find in the documentation that would > enable me to extract either the whole token or a whole JSON object / array? > > Best regards, > Felix > --- Aki