You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
add: config jwt-schema-claim-key for schema selection in JWT
It follows the same JSPath grammar as `jwt-role-claim-key`. If
the schema is specified in JWT claims, it overides the `Accept-Profile`
and `Content-Profile` headers.
Signed-off-by: Taimoor Zaeem <taimoorzaeem@gmail.com>
Copy file name to clipboardExpand all lines: docs/references/auth.rst
+30-5Lines changed: 30 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -226,6 +226,33 @@ JWT Role Extraction
226
226
227
227
A JSPath DSL that specifies the location of the :code:`role` key in the JWT claims. It's configured by :ref:`jwt-role-claim-key`. This can be used to consume a JWT provided by a third party service like Auth0, Okta, Microsoft Entra or Keycloak.
228
228
229
+
.. code::
230
+
231
+
# {"postgrest":{"roles": ["other", "author"]}}
232
+
# the DSL accepts characters that are alphanumerical or one of "_$@" as keys
233
+
jwt-role-claim-key = ".postgrest.roles[1]"
234
+
235
+
See :ref:`jspath_dsl_grammar` for more details on how to specify the location.
236
+
237
+
.. _jwt_schema_extract:
238
+
239
+
JWT Schema Extraction
240
+
---------------------
241
+
242
+
Schema can be specified in JWT claims. It is configured by :ref:`jwt-schema-claim-key`. This feature can be used for JWT-driven schema-based multitenancy. It allows fully hidden schema selection without exposing the schema in :ref:`profile headers <profile_headers>`. The schema specified in JWT takes precedence over profile headers.
243
+
244
+
.. code::
245
+
246
+
# {"postgrest":{"schema": "jwt-tenant"}}
247
+
jwt-schema-claim-key = ".postgrest.schema"
248
+
249
+
See :ref:`jspath_dsl_grammar` for more details on how to specify the location.
250
+
251
+
.. _jspath_dsl_grammar:
252
+
253
+
JSPath DSL Grammar
254
+
~~~~~~~~~~~~~~~~~~
255
+
229
256
The DSL follows the `JSONPath <https://goessner.net/articles/JsonPath/>`_ expression grammar with extended string comparison operators. Supported operators are:
230
257
231
258
- ``==`` selects the first array element that exactly matches the right operand
@@ -234,7 +261,7 @@ The DSL follows the `JSONPath <https://goessner.net/articles/JsonPath/>`_ expres
234
261
- ``==^`` selects the first array element that ends with the right operand
235
262
- ``*==`` selects the first array element that contains the right operand
236
263
237
-
The selected role value can also be sliced using the slice operator ``[a:b]``. It is similar to `slice operator in python <https://docs.python.org/3/library/functions.html#slice>`_. Negative index values are also supported. The syntax is as:
264
+
The selected value can also be sliced using the slice operator ``[a:b]``. It is similar to `slice operator in python <https://docs.python.org/3/library/functions.html#slice>`_. Negative index values are also supported. The syntax is as:
238
265
239
266
- ``[a:b]`` take slice from index ``a`` up to ``b``
240
267
- ``[a:]`` take slice from index ``a`` to end
@@ -249,10 +276,6 @@ Usage examples:
249
276
250
277
.. code:: bash
251
278
252
-
# {"postgrest":{"roles": ["other", "author"]}}
253
-
# the DSL accepts characters that are alphanumerical or one of "_$@" as keys
These examples also apply to :ref:`jwt-schema-claim-key`.
298
+
274
299
.. note::
275
300
276
301
The string comparison operators are implemented as a custom extension to the JSPath and does not strictly follow the `RFC 9535 <https://www.rfc-editor.org/rfc/rfc9535.html>`_.
0 commit comments