starred/pocket-id
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-09 17:23:22 +03:00
Code Issues 121 Packages Projects Releases 16 Wiki Activity

🚀 Feature: include extra information in access token #79

New Issue
Closed
opened 2025-10-07 00:00:56 +03:00 by OVERLORD · 5 comments
OVERLORD commented 2025-10-07 00:00:56 +03:00
Owner
Copy Link

Originally created by @peterforeman on GitHub.

Feature description

Allow extra claims to access token.

Pitch

I'm trying to get RabbitMQ working with Pocket-ID, but unfortunately their implementation only makes use of the access token. Other SSO providers like Zitadel or Authentik have the option to include extra data in the access token. In Pocket-ID I cannot find such feature.

From the RabbitMQ docs:

Authorization Flow

This plugin does not communicate with any OAuth 2.0 provider in order to authenticate user and grants access. >Instead, it decodes an access token provided by the client and authorizes a user based on the scopes found in >the token.

[snip]

The token can be any JWT token which contains the scope and aud fields.

In chronological order, here is the sequence of events that occur when a client application wants to connect to >one of the RabbitMQ's messaging protocols, such as AMQP:

The Client application requests an access_token from the OAuth 2.0 provider.

The access token must include scopes supported by RabbitMQ in the scope field (it is possible to use a different field for the scopes by setting the name of the new field in auth_oauth2.additional_scopes_key).

The Client application passes the token as password when connecting to RabbitMQ's messaging protocol. The username field is ignored.

RabbitMQ validates the token's signature. To validate it, RabbitMQ must have the signing keys or download them from the JWKS endpoint as explained in earlier sections.

RabbitMQ validates that the token has the audience claim and whose value matches the resource_server_id (this operation can be deactivated by setting auth_oauth2.verify_aud to false).

RabbitMQ translates the scopes found in the token into RabbitMQ permissions (the same permissions used in the RabbitMQ's internal database).See above

There are probably more applications that want extra claims in the access token since the big SSO providers have this option as well.

Originally created by @peterforeman on GitHub. ### Feature description Allow extra claims to access token. ### Pitch I'm trying to get RabbitMQ working with Pocket-ID, but unfortunately their implementation only makes use of the access token. Other SSO providers like Zitadel or Authentik have the option to include extra data in the access token. In Pocket-ID I cannot find such feature. From the RabbitMQ docs: > Authorization Flow > >This plugin does not communicate with any OAuth 2.0 provider in order to authenticate user and grants access. >Instead, it decodes an access token provided by the client and authorizes a user based on the scopes found in >the token. > >[snip] > >The token can be any [JWT token](https://jwt.io/introduction/) which contains the scope and aud fields. > >In chronological order, here is the sequence of events that occur when a client application wants to connect to >one of the RabbitMQ's messaging protocols, such as AMQP: > >The Client application requests an access_token from the OAuth 2.0 provider. > >The access token must include scopes supported by RabbitMQ in the scope field (it is possible to use a different field for the scopes by setting the name of the new field in auth_oauth2.additional_scopes_key). > >The Client application passes the token as password when connecting to RabbitMQ's messaging protocol. The username field is ignored. > >RabbitMQ validates the token's signature. To validate it, RabbitMQ must have the signing keys or download them from the JWKS endpoint as explained in earlier sections. > >RabbitMQ validates that the token has the audience claim and whose value matches the resource_server_id (this operation can be deactivated by setting auth_oauth2.verify_aud to false). > >RabbitMQ translates the scopes found in the token into RabbitMQ permissions (the same permissions used in the RabbitMQ's internal database).See above There are probably more applications that want extra claims in the access token since the big SSO providers have this option as well.
OVERLORD commented 2025-10-07 00:01:00 +03:00
Author
Owner
Copy Link

@peterforeman commented on GitHub:

other OIDCs allow javascript / custom code to implement this.

The problem with this would be requiring executing custom code (i.e. untrusted) within Pocket ID. It can be done, but it does come with significant challenges in terms of maintenability and security.

Agreed. Then an API like your proposal would be better.

@peterforeman commented on GitHub: > > other OIDCs allow javascript / custom code to implement this. > > The problem with this would be requiring executing custom code (i.e. untrusted) within Pocket ID. It can be done, but it does come with significant challenges in terms of maintenability and security. Agreed. Then an API like your proposal would be better.
OVERLORD commented 2025-10-07 00:01:00 +03:00
Author
Owner
Copy Link

@peterforeman commented on GitHub:

#781 would fix this if we would also allow access token to have custom claims, closing this one.

@peterforeman commented on GitHub: #781 would fix this if we would also allow access token to have custom claims, closing this one.
OVERLORD commented 2025-10-07 00:01:00 +03:00
Author
Owner
Copy Link

@ItalyPaleAle commented on GitHub:

other OIDCs allow javascript / custom code to implement this.

The problem with this would be requiring executing custom code (i.e. untrusted) within Pocket ID. It can be done, but it does come with significant challenges in terms of maintenability and security.

@ItalyPaleAle commented on GitHub: > other OIDCs allow javascript / custom code to implement this. The problem with this would be requiring executing custom code (i.e. untrusted) within Pocket ID. It can be done, but it does come with significant challenges in terms of maintenability and security.
OVERLORD commented 2025-10-07 00:01:01 +03:00
Author
Owner
Copy Link

@ItalyPaleAle commented on GitHub:

Would #781 address this too?

@ItalyPaleAle commented on GitHub: Would #781 address this too?
OVERLORD commented 2025-10-07 00:01:01 +03:00
Author
Owner
Copy Link

@peterforeman commented on GitHub:

I think it would, although I'm not sure if using a HTTP(s) backend would we a industry-standard approach. But I'm not really into OIDC so am unable to tell.

I did some own tweaking with custom claims and that worked. The approach was adding custom claims to the user and let these get added to the access token. Then you can use the API to add/change/remove claims from the user.

But indeed: other OIDCs allow javascript / custom code to implement this.

@peterforeman commented on GitHub: I think it would, although I'm not sure if using a HTTP(s) backend would we a industry-standard approach. But I'm not really into OIDC so am unable to tell. I did some own tweaking with custom claims and that worked. The approach was adding custom claims to the user and let these get added to the access token. Then you can use the API to add/change/remove claims from the user. But indeed: other OIDCs allow javascript / custom code to implement this.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id#79
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?