hubodz opened a new issue, #5418: URL: https://github.com/apache/couchdb/issues/5418
Based on [source](https://github.com/apache/couchdb/blob/main/src/jwtf/src/jwtf.erl), I understand only limited number of JWT claims can be validated. Trying to validate other claims result in error `unknown_checks`. I would like to ask for introducing validation any provided claim. In my case, I use an SSO of a huge Organisation, where many users can define their own applications/clients (signed with same SSO key). Without validating `aud`, anyone could create another application with roles that my CouchDB instance accepts. ## Desired Behaviour When provided a config like below, the claim `aud` should be verified: both if it exists and if it matched provided `my-application` value. `required_claims = exp, {aud, "my-application"}` I believe it's worth allowing such a validation for any custom claim (only to check existence and value matching, if provided). ## Possible Solution I believe the [source](https://github.com/apache/couchdb/blob/main/src/jwtf/src/jwtf.erl) should not limit the check only to claims specified in line 45. There could be a function providing a "general" claim check, no matter what it is exactly. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
