I am setting up cbSecurity in a ColdBox app & could use a little help. I have got JWT authentication working but now I want to include a few custom claims—such as user role, department & access flags—inside the token. The generation part works fine but I am not sure how to properly read or validate those claims once the token is used in a request.
Is there a suggest way to validate custom claims in cbSecurity? Should I be writing a custom validator or is there a simpler way using the existing config?
Is there a suggest way to validate custom claims in cbSecurity? Should I be writing a custom validator or is there a simpler way using the existing config?
The default JWT Validator will only validate that the token is valid, it has not expired and has the right user on it. If you want to do something else or test custom claims, etc, then you will have to create a custom validator that extends the JWT validator.
Now, if you just want to get the payload and work with it then you can use several of the parsing and helper methods: JWT Services | cbSecurity from the jwt service. So if you wanted the payload that reprsents the jwt you can do
Your user (or whatever your logged-in entity is) can influence claims using the getJwtCustomClaims() method that is part of the IJwtSubject interface in cbSecurity. You could add user roles, departments, etc. in this method. It is called whenever a token is generated.
If you want to influence claims higher up or not specifically tied to an IJwtSubject, you can also pass custom claims in to the attempt and fromUser methods. We use this in one app to change the timeouts based on the presence of a rememberMe form field.