Best way to assert one of multiple claims?

jm2 · November 17, 2021, 8:01pm

Update: Reading through the library, it looks like the ‘includes’ operator is the only one included currently. As for the solution to this, the only thing I can think of would be to fork the repo and add a new operator such as ‘any’ than have it not throw if any value matches. I’ll likely do this and open a PR in hopes of merging it, but if anyone knows of another way that would be great.

Hi for an app I’m working on there are three levels of of authorization given to users. The read, write and review. For the read authorization, I’d like to have a user be authorized if they have any access, whether it be read only or all three, or just read and write.

What would be the best way to do this? Currently I see I can assert a claim where it checks all three are present doing something like:

const verifier = new OktaJwtVerifier({
  issuer: ISSUER,
  clientId: CLIENT_ID,
  assertClaims: {
    'groups.includes': ['read', 'write', 'review']
  }
});

But I want to allow authorization if any of those groups are attached to the user. The only way I could think of doing this was having 3 Verifiers created and when one fails, use the next. This leads to a large impact on response time for requests though.

const readVerifier = new OktaJwtVerifier({
    issuer: process.env.OKTA_ISSUER,
    assertClaims: {
    'groups.includes': 'read',
    }
});

const writeVerifier = new OktaJwtVerifier({
    issuer: process.env.OKTA_ISSUER,
    assertClaims: {
    'groups.includes': 'write'
    }
});

const reviewerVerifier = new OktaJwtVerifier({
    issuer: process.env.OKTA_ISSUER,
    assertClaims: {
    'groups.includes': 'review'
    }
});

return readVerifier.verifyAccessToken(accessToken, expectedAudience)
    .then((jwt) => {
    req.jwt = jwt;
    next();
    })
    .catch((err) => {

    writeVerifier.verifyAccessToken(accessToken, expectedAudience)
    .then((jwt) => {
    req.jwt = jwt;
    next();
    })
    .catch((err) => {

        reviewerVerifier.verifyAccessToken(accessToken, expectedAudience)
        .then((jwt) => {
        req.jwt = jwt;
        next();
        })
        .catch((err) => {
            res.status(401).send('Invalid Access!');
        })
    })
}

Is there a more performant way to achieve the above?