These are my business rules:
- Registered users have:
app_metadata: { "projects": "test", "test2", "test3" ] }
- If a user is requesting
access_token
for audience “my.secret.api” then:
- The user may request at most one scope
- The requested scope must be an exact match to an item in the
projects
array of the user’sapp_metadata
.
Here is my current implementation which appears to work:
function (user, context, callback) { if (context.request.query.audience === 'my.secret.api' && context.request.query.scope) {
var requestedScopes = context.request.query.scope.split(' ');
if (requestedScopes.length === 1 && user.app_metadata.projects.indexOf(requestedScopes[0]) !== -1) {
context.accessToken.scope = requestedScopes;
} else {
context.accessToken.scope = ];
}
}
callback(null, user, context);
}
Is my implementation the correct way to achieve this? It appears to work even if ‘my.secret.api’ does not have scope ‘project3’ (which is a nice side effect). I am confused by when to modify the context.accessToken.scope vs. jwtConfiguration , the documentation is not clear at all on this.