feat(jans-cedarling): custom tokens and putting tokens in principal attrs

docs/cedarling/cedarling-authz.md

@@ -63,20 +63,20 @@ let input = {
     "id_token": "eyJjbGc...", 
     "userinfo_token": "eyJjbGc...",
   },
-    "action": "View",
-    "resource": {
-      "id": "ticket-10101",
-      "type" : "Ticket",
-      "owner": "[email protected]", 
-      "org_id": "Acme"
-    },
-      "context": {
-        "ip_address": "54.9.21.201",
-        "network_type": "VPN",
-        "user_agent": "Chrome 125.0.6422.77 (Official Build) (arm64)",
-        "time": "1719266610.98636",
-      }
-    }
+  "action": "View",
+  "resource": {
+    "id": "ticket-10101",
+    "type" : "Ticket",
+    "owner": "[email protected]", 
+    "org_id": "Acme"
+  },
+  "context": {
+    "ip_address": "54.9.21.201",
+    "network_type": "VPN",
+    "user_agent": "Chrome 125.0.6422.77 (Official Build) (arm64)",
+    "time": "1719266610.98636",
+  }
+}
 
 decision_result = await cedarling(input)
 ```

docs/cedarling/cedarling-policy-store.md

@@ -156,11 +156,12 @@ Here is a non-normative example of the `policies` field:
 This record contains the information needed to validate tokens from this issuer:
 
 ```json
-  "identity_source": {
-    "some_unique_id" : {
-      "name": "name_of_the_trusted_issuer",
-      "description": "description for the trusted issuer",
-      "openid_configuration_endpoint": "https://<trusted-issuer-hostname>/.well-known/openid-configuration",
+"identity_source": {
+  "some_unique_id" : {
+    "name": "name_of_the_trusted_issuer",
+    "description": "description for the trusted issuer",
+    "openid_configuration_endpoint": "https://<trusted-issuer-hostname>/.well-known/openid-configuration",
+    "tokens_metadata": {
       "access_tokens": {
         "trusted": true,
         "principal_identifier": "jti",
@@ -169,20 +170,18 @@ This record contains the information needed to validate tokens from this issuer:
       "id_tokens": { ... },
       "userinfo_tokens": { ... },
       "tx_tokens": { ... },
+      ...
     }
-    ...
   }
+  ...
+}
 ```
 
 - **name** : (*String*) The name of the trusted issuer.
 - **description** : (*String*) A brief description of the trusted issuer, providing context for administrators.
 - **openid_configuration_endpoint** : (*String*) The HTTPS URL for the OpenID Connect configuration endpoint (usually found at `/.well-known/openid-configuration`).
 - **identity_source** : (*Object*, *optional*) Metadata related to the tokens issued by this issuer.
-
-**Notes**:
-
-- The `access_tokens`, `id_tokens`, `userinfo_tokens`, and `tx_tokens` fields will follow the [Token Metadata Schema](#token-metadata-schema).
-- The `access_tokens` will contain a `trusted` and `principal_identifier` field in addition to the fields from the `Token Metadata Schema`.
+- **tokens_metadata** : (*Object*, *optional*) Tokens metadata in a map of *token name* -> *token metadata*. See  [Token Metadata Schema](#token-metadata-schema).
 
 ### Token Metadata Schema
 

docs/cedarling/cedarling-properties.md

@@ -20,9 +20,7 @@ These Bootstrap Properties control default application level behavior.
 * **`CEDARLING_USER_WORKLOAD_BOOLEAN_OPERATION`** :  `AND`, `OR`
 * **`CEDARLING_MAPPING_USER`** : Name of Cedar User schema entity if we don't want to use default. When specified cedarling try build defined entity (from schema) as user instead of default `User` entity defined in `cedar` schema. Works in namespace defined in the policy store.
 * **`CEDARLING_MAPPING_WORKLOAD`** : Name of Cedar Workload schema entity
-* **`CEDARLING_MAPPING_ID_TOKEN`** : Name of Cedar id_token schema entity
-* **`CEDARLING_MAPPING_ACCESS_TOKEN`** : Name of Cedar access_token schema entity
-* **`CEDARLING_MAPPING_USERINFO_TOKEN`** : Name of Cedar userinfo schema entity
+* **`CEDARLING_MAPPING_ROLE`** : Name of Cedar Role schema entity
 
 **The following bootstrap properties are needed to configure log behavior:**
 
@@ -49,19 +47,7 @@ These Bootstrap Properties control default application level behavior.
 * **`CEDARLING_JWT_SIG_VALIDATION`** : `Enabled` | `Disabled` -- Whether to check the signature  of all JWT tokens. This requires an `iss` is present.
 * **`CEDARLING_JWT_STATUS_VALIDATION`** : `Enabled` | `Disabled` -- Whether to check the status of the JWT. On startup, the Cedarling should fetch and retreive the latest Status List JWT from the `.well-known/openid-configuration` via the `status_list_endpoint` claim and cache it. See the [IETF Draft](https://datatracker.ietf.org/doc/draft-ietf-oauth-status-list/) for more info.
 * **`CEDARLING_JWT_SIGNATURE_ALGORITHMS_SUPPORTED`** : Only tokens signed with these algorithms are acceptable to the Cedarling.
-* **`CEDARLING_AT_ISS_VALIDATION`** : When enabled, the `iss` claim must be present in access token and the scheme must be `https`.
-* **`CEDARLING_AT_JTI_VALIDATION`** : When enabled, the `jti` claim must be present in access token.
-* **`CEDARLING_AT_NBF_VALIDATION`** : When enabled, the `nbf` claim must be present in access token and the Cedarling should verify that the current date is after the `nbf`.
-* **`CEDARLING_AT_EXP_VALIDATION`** : When enabled, the `exp` claim must be present and not past the date specified.
-* **`CEDARLING_IDT_ISS_VALIDATION`** : When enabled, the `iss` claim must be present in id_token and the scheme must be `https`.
-* **`CEDARLING_IDT_SUB_VALIDATION`** : When enabled, the `sub` claim must be present in id_token.
-* **`CEDARLING_IDT_EXP_VALIDATION`** : When enabled, the `exp` claim must be present and not past the date specified.
-* **`CEDARLING_IDT_IAT_VALIDATION`** : When enabled, the `iat` claim must be present in id_token.
-* **`CEDARLING_IDT_AUD_VALIDATION`** : When enabled, the `aud` claim must be present in id_token.
-* **`CEDARLING_USERINFO_ISS_VALIDATION`** : When enabled, the `iss` claim must be present and the scheme must be `https`.
-* **`CEDARLING_USERINFO_SUB_VALIDATION`** : When enabled, the `sub` claim must be present in Userinfo JWT.
-* **`CEDARLING_USERINFO_AUD_VALIDATION`** : When enabled, the `aud` claim must be present in Userinfo JWT.
-* **`CEDARLING_USERINFO_EXP_VALIDATION`** : When enabled, the `exp` claim must be present and not past the date specified.
+* **`CEDARLING_TOKEN_CONFIGS`** : JSON object containing token specific configs. See: [Token Configs](#token-configs).
 * **`CEDARLING_ID_TOKEN_TRUST_MODE`** :  `Strict` | `None`. Varying levels of validations based on the preference of the developer.
 `Strict` mode requires (1) id_token `aud` matches the access_token `client_id`; (2) if a Userinfo token is present, the `sub` matches the id_token, and that the `aud` matches the access token client_id.
 
@@ -85,6 +71,42 @@ The `CEDARLING_USER_WORKLOAD_BOOLEAN_OPERATION` property specifies what boolean
 * **AND**: authz will be successful if `USER` **AND** `WORKLOAD` is valid.
 * **OR**: authz will be successful if `USER` **OR** `WORKLOAD` is valid.
 
+## Token Configs
+
+The token configs property sets the entity type name of a token and it's validation settings. Below is an example of the `CEDARLING_TOKEN_CONFIGS`:
+
+```js
+CEDARLING_TOKEN_CONFIGS = {
+  "access_token": {
+    "entity_type_name": "Access_token",
+    "iss": "enabled",
+    "aud": "enabled",
+    "sub": "enabled",
+    "jti": "enabled",
+    "nbf": "enabled",
+    "iat": "enabled",
+    "exp": "enabled",
+  },
+  "id_token": {
+    "entity_type_name": "id_token",
+    "exp": "enabled",
+  },
+  "userinfo_token": {
+    "entity_type_name": "Userinfo_token",
+    "exp": "enabled",
+  },
+  "custom_token1": {
+    "entity_type_name": "SomeCustom_token",
+    "exp": "enabled",
+  },
+  "custom_token2": {
+    "entity_type_name": "AnotherCustom_token",
+    "exp": "enabled",
+  },
+  // more custom tokens can be added here
+}
+```
+
 ## ID Token Trust Mode
 
 The level of validation for the ID Token JWT can be set to either `None` or `Strict`.
@@ -157,9 +179,7 @@ Below is an example of a bootstrap config in JSON format. Not all fields should
     "CEDARLING_USER_WORKLOAD_BOOLEAN_OPERATION": "AND",
     "CEDARLING_MAPPING_USER": "CustomUser",
     "CEDARLING_MAPPING_WORKLOAD": "CustomWorkload",
-    "CEDARLING_MAPPING_ID_TOKEN": "CustomIdToken",
-    "CEDARLING_MAPPING_ACCESS_TOKEN": "CustomAccessToken",
-    "CEDARLING_MAPPING_USERINFO_TOKEN": "CustomUserinfoToken",
+    "CEDARLING_MAPPING_ROLE": "CustomRole",
     "CEDARLING_LOCAL_JWKS": "../test_files/local_jwks.json",
     "CEDARLING_LOCAL_POLICY_STORE": null,
     "CEDARLING_POLICY_STORE_LOCAL_FN": "../test_files/policy-store_blobby.json",
@@ -169,19 +189,27 @@ Below is an example of a bootstrap config in JSON format. Not all fields should
         "HS256",
         "RS256"
     ],
-    "CEDARLING_AT_ISS_VALIDATION": "disabled",
-    "CEDARLING_AT_JTI_VALIDATION": "disabled",
-    "CEDARLING_AT_NBF_VALIDATION": "disabled",
-    "CEDARLING_AT_EXP_VALIDATION": "enabled",
-    "CEDARLING_IDT_ISS_VALIDATION": "enabled",
-    "CEDARLING_IDT_SUB_VALIDATION": "enabled",
-    "CEDARLING_IDT_EXP_VALIDATION": "enabled",
-    "CEDARLING_IDT_IAT_VALIDATION": "enabled",
-    "CEDARLING_IDT_AUD_VALIDATION": "enabled",
-    "CEDARLING_USERINFO_ISS_VALIDATION": "enabled",
-    "CEDARLING_USERINFO_SUB_VALIDATION": "enabled",
-    "CEDARLING_USERINFO_AUD_VALIDATION": "enabled",
-    "CEDARLING_USERINFO_EXP_VALIDATION": "enabled",
+    "CEDARLING_TOKEN_CONFIGS": {
+        "access_token": {
+            "entity_type_name": "Access_token",
+            "exp": "enabled",
+        },
+        "id_token": {
+            "entity_type_name": "id_token",
+            "iss": "enabled",
+            "sub": "enabled",
+            "exp": "enabled",
+            "iat": "enabled",
+            "aud": "enabled",
+        },
+        "id_token": {
+            "entity_type_name": "id_token",
+            "iss": "enabled",
+            "aud": "enabled",
+            "sub": "enabled",
+            "exp": "enabled",
+        },
+    },
     "CEDARLING_ID_TOKEN_TRUST_MODE": "Strict",
     "CEDARLING_LOCK": "disabled",
     "CEDARLING_LOCK_MASTER_CONFIGURATION_URI": null,
@@ -230,9 +258,7 @@ CEDARLING_WORKLOAD_AUTHZ: 'enabled'
 CEDARLING_USER_WORKLOAD_BOOLEAN_OPERATION: 'AND'
 CEDARLING_MAPPING_USER: 'CustomUser'
 CEDARLING_MAPPING_WORKLOAD: 'CustomWorkload'
-CEDARLING_MAPPING_ID_TOKEN: 'CustomIdToken'
-CEDARLING_MAPPING_ACCESS_TOKEN: 'CustomAccessToken'
-CEDARLING_MAPPING_USERINFO_TOKEN: 'CustomUserinfoToken'
+CEDARLING_MAPPING_ROLE: 'CustomRole'
 CEDARLING_LOCAL_JWKS: '../test_files/local_jwks.json'
 CEDARLING_LOCAL_POLICY_STORE: null
 CEDARLING_POLICY_STORE_LOCAL_FN: '../test_files/policy-store_blobby.json'
@@ -241,19 +267,10 @@ CEDARLING_JWT_STATUS_VALIDATION: 'disabled'
 CEDARLING_JWT_SIGNATURE_ALGORITHMS_SUPPORTED:
     - 'HS256'
     - 'RS256'
-CEDARLING_AT_ISS_VALIDATION: 'disabled'
-CEDARLING_AT_JTI_VALIDATION: 'disabled'
-CEDARLING_AT_NBF_VALIDATION: 'disabled'
-CEDARLING_AT_EXP_VALIDATION: 'enabled'
-CEDARLING_IDT_ISS_VALIDATION: 'enabled'
-CEDARLING_IDT_SUB_VALIDATION: 'enabled'
-CEDARLING_IDT_EXP_VALIDATION: 'enabled'
-CEDARLING_IDT_IAT_VALIDATION: 'enabled'
-CEDARLING_IDT_AUD_VALIDATION: 'enabled'
-CEDARLING_USERINFO_ISS_VALIDATION: 'enabled'
-CEDARLING_USERINFO_SUB_VALIDATION: 'enabled'
-CEDARLING_USERINFO_AUD_VALIDATION: 'enabled'
-CEDARLING_USERINFO_EXP_VALIDATION: 'enabled'
+CEDARLING_TOKENS_CONFIG:
+    access_token: CustomAccessToken
+    id_token: CustomIdToken
+    userinfo_token: CustomUserinfoToken
 CEDARLING_ID_TOKEN_TRUST_MODE: 'Strict'
 CEDARLING_LOCK: 'disabled'
 CEDARLING_LOCK_MASTER_CONFIGURATION_URI: null

jans-cedarling/bindings/cedarling_python/cedarling_python.pyi

@@ -44,22 +44,13 @@ class BootstrapConfig:
                     - "CEDARLING_LOCAL_JWKS" (str, optional): Local JWKS (JSON Web Key Set). Defaults to None.
                     - "CEDARLING_LOCAL_POLICY_STORE" (str, optional): Local policy store configuration. Defaults to None.
                     - "CEDARLING_POLICY_STORE_LOCAL_FN" (str, optional): Local policy store function. Defaults to None.
+                    - "CEDARLING_WORKLOAD_MAPPING" (str, optional): The workload's entity type name. Defaults to "Jans::Workload".
+                    - "CEDARLING_USER_MAPPING" (str, optional): The workload's entity type name. Defaults to "Jans::User".
+                    - "CEDARLING_ROLE_MAPPING" (str, optional): The workload's entity type name. Defaults to "Jans::Role".
                     - "CEDARLING_JWT_SIG_VALIDATION" (str, optional): JWT signature validation status. Defaults to "enabled".
                     - "CEDARLING_JWT_STATUS_VALIDATION" (str, optional): JWT status validation status. Defaults to "enabled".
                     - "CEDARLING_JWT_SIGNATURE_ALGORITHMS_SUPPORTED" (list, optional): Supported JWT signature algorithms. Defaults to an empty list.
-                    - "CEDARLING_AT_ISS_VALIDATION" (str, optional): Access token issuer validation status. Defaults to "enabled".
-                    - "CEDARLING_AT_JTI_VALIDATION" (str, optional): Access token JWT ID validation status. Defaults to "enabled".
-                    - "CEDARLING_AT_NBF_VALIDATION" (str, optional): Access token "not before" validation status. Defaults to "enabled".
-                    - "CEDARLING_AT_EXP_VALIDATION" (str, optional): Access token expiration validation status. Defaults to "enabled".
-                    - "CEDARLING_IDT_ISS_VALIDATION" (str, optional): ID token issuer validation status. Defaults to "enabled".
-                    - "CEDARLING_IDT_SUB_VALIDATION" (str, optional): ID token subject validation status. Defaults to "enabled".
-                    - "CEDARLING_IDT_EXP_VALIDATION" (str, optional): ID token expiration validation status. Defaults to "enabled".
-                    - "CEDARLING_IDT_IAT_VALIDATION" (str, optional): ID token issued-at validation status. Defaults to "enabled".
-                    - "CEDARLING_IDT_AUD_VALIDATION" (str, optional): ID token audience validation status. Defaults to "enabled".
-                    - "CEDARLING_USERINFO_ISS_VALIDATION" (str, optional): User info issuer validation status. Defaults to "enabled".
-                    - "CEDARLING_USERINFO_SUB_VALIDATION" (str, optional): User info subject validation status. Defaults to "enabled".
-                    - "CEDARLING_USERINFO_AUD_VALIDATION" (str, optional): User info audience validation status. Defaults to "enabled".
-                    - "CEDARLING_USERINFO_EXP_VALIDATION" (str, optional): User info expiration validation status. Defaults to "enabled".
+                    - "CEDARLING_TOKEN_CONFIGS" (dict, optional): Token Validation Settings. See docs for what this defaults to.
                     - "CEDARLING_ID_TOKEN_TRUST_MODE" (str, optional): Trust mode for ID tokens. Defaults to "strict".
                     - "CEDARLING_LOCK" (str, optional): Lock mechanism status. Defaults to "disabled".
                     - "CEDARLING_LOCK_MASTER_CONFIGURATION_URI" (str, optional): Master configuration URI for locks. Defaults to None.
@@ -147,30 +138,18 @@ class Cedarling:
 
 @final
 class Request:
-    tokens: Tokens
+    tokens: Dict[str, str]
     action: str
     resource: ResourceData
     context: Dict[str, Any]
 
     def __init__(self,
-                 tokens: Tokens,
+                 tokens: Dict[str, Any],
                  action: str,
                  resource: ResourceData,
                  context: Dict[str, Any]) -> None: ...
 
 
-@final
-class Tokens:
-    access_token: str | None
-    id_token: str | None
-    userinfo_token: str | None
-
-    def __init__(self,
-                 access_token: str | None,
-                 id_token: str | None,
-                 userinfo_token: str | None) -> None: ...
-
-
 @final
 class ResourceData:
     resource_type: str

jans-cedarling/bindings/cedarling_python/example.py

@@ -3,7 +3,7 @@
 #
 # Copyright (c) 2024, Gluu, Inc.
 
-from cedarling_python import BootstrapConfig, Tokens
+from cedarling_python import BootstrapConfig
 from cedarling_python import Cedarling
 from cedarling_python import ResourceData, Request
 import time
@@ -205,7 +205,11 @@ def load_yaml_to_env(yaml_path):
 action = 'Jans::Action::"Read"'
 
 request = Request(
-    tokens=Tokens(access_token, id_token, userinfo_token),
+    tokens={
+        "access_token": access_token,
+        "id_token": id_token,
+        "userinfo_token": userinfo_token,
+    },
     action=action,
     resource=resource, context=context)