fix: allow aud claim to be a string or a sequence of strings

Author: dsferruzza

Cargo.toml

@@ -25,4 +25,5 @@ uuid = { version = "0.8.2", features = ["serde"] }
 [dev-dependencies]
 actix-rt = "1.1.1"
 env_logger = "0.8.2"
+serde_json = "1.0.61"
 uuid = { version = "0.8.2", features = ["serde", "v4"] }

src/lib.rs

@@ -194,7 +194,10 @@ pub struct Claims {
     /// Issuer
     pub iss: String,
     /// Audience
-    pub aud: Option<String>,
+    ///
+    /// _This can be extracted from either a JSON string or a JSON sequence of strings._
+    #[serde(default, deserialize_with = "deserialize_optional_string_or_strings")]
+    pub aud: Option<Vec<String>>,
     /// Issuance date
     #[serde(with = "ts_seconds")]
     pub iat: DateTime<Utc>,
@@ -204,6 +207,24 @@ pub struct Claims {
     pub azp: String,
 }
 
+fn deserialize_optional_string_or_strings<'de, D>(de: D) -> Result<Option<Vec<String>>, D::Error>
+where
+    D: ::serde::Deserializer<'de>,
+{
+    #[derive(Deserialize)]
+    #[serde(untagged)]
+    enum StringOrVec {
+        String(String),
+        Vec(Vec<String>),
+    }
+
+    Option::<StringOrVec>::deserialize(de).map(|string_or_vec| match string_or_vec {
+        Some(StringOrVec::String(string)) => Some(vec![string]),
+        Some(StringOrVec::Vec(vec)) => Some(vec),
+        None => None,
+    })
+}
+
 impl Default for Claims {
     fn default() -> Self {
         use chrono::Duration;
@@ -215,7 +236,7 @@ impl Default for Claims {
             realm_access: None,
             resource_access: None,
             iss: env!("CARGO_PKG_NAME").to_owned(),
-            aud: Some("account".to_owned()),
+            aud: Some(vec!["account".to_owned()]),
             iat: Utc::now(),
             jti: Uuid::from_u128_le(22685491128062564230891640495451214097),
             azp: "".to_owned(),
@@ -392,3 +413,81 @@ where
         }
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use serde_json::{from_value, json};
+
+    #[derive(Debug, Clone, PartialEq, Eq, Deserialize, Serialize)]
+    struct StringOrVec {
+        field: u8,
+        #[serde(default, deserialize_with = "deserialize_optional_string_or_strings")]
+        string_or_vec: Option<Vec<String>>,
+    }
+
+    #[test]
+    fn deserialize_string_or_vec_when_vec() {
+        let input = json!({
+            "field": 1,
+            "string_or_vec": ["1", "2"],
+        });
+        let output = from_value::<StringOrVec>(input);
+        assert_eq!(
+            output.ok(),
+            Some(StringOrVec {
+                field: 1,
+                string_or_vec: Some(vec!["1".to_owned(), "2".to_owned()]),
+            })
+        )
+    }
+
+    #[test]
+    fn deserialize_string_or_vec_when_string() {
+        let input = json!({
+            "field": 1,
+            "string_or_vec": "1",
+        });
+        let output = from_value::<StringOrVec>(input);
+        assert_eq!(
+            output.ok(),
+            Some(StringOrVec {
+                field: 1,
+                string_or_vec: Some(vec!["1".to_owned()]),
+            })
+        )
+    }
+
+    #[test]
+    fn deserialize_string_or_vec_when_none() {
+        let input = json!({
+            "field": 1,
+        });
+        let output = from_value::<StringOrVec>(input);
+        dbg!(&output);
+        assert_eq!(
+            output.ok(),
+            Some(StringOrVec {
+                field: 1,
+                string_or_vec: None,
+            })
+        )
+    }
+
+    #[test]
+    fn deserialize_string_or_vec_when_null() {
+        let input = json!({
+            "field": 1,
+            "string_or_vec": null,
+        });
+        let output = from_value::<StringOrVec>(input);
+        dbg!(&output);
+        assert_eq!(
+            output.ok(),
+            Some(StringOrVec {
+                field: 1,
+                string_or_vec: None,
+            })
+        )
+    }
+}

tests/middleware.rs

@@ -8,6 +8,7 @@ use actix_web::web::{Bytes, ReqData};
 use actix_web::{test, web, App, HttpResponse, Responder};
 use actix_web_middleware_keycloak_auth::{Access, Claims, KeycloakAuth, Role};
 use jsonwebtoken::{encode, Algorithm, DecodingKey, EncodingKey, Header};
+use serde_json::json;
 use std::collections::HashMap;
 use std::iter::FromIterator;
 use uuid::Uuid;
@@ -424,3 +425,62 @@ async fn valid_jwt_roles() {
     let body = test::read_body(resp).await;
     assert_eq!(body, Bytes::from(user_id.to_string()));
 }
+
+#[actix_rt::test]
+async fn from_raw_claims_single_aud_as_string() {
+    init_logger();
+
+    let keycloak_auth = KeycloakAuth {
+        detailed_responses: true,
+        keycloak_oid_public_key: DecodingKey::from_rsa_pem(KEYCLOAK_PK.as_bytes()).unwrap(),
+        required_roles: vec![Role::Client {
+            client: "client1".to_owned(),
+            role: "test1".to_owned(),
+        }],
+    };
+    let mut app = test::init_service(
+        App::new()
+            .service(
+                web::scope("/private")
+                    .wrap(keycloak_auth)
+                    .route("", web::get().to(private)),
+            )
+            .service(web::resource("/").to(hello_world)),
+    )
+    .await;
+
+    let user_id = Uuid::new_v4();
+    let default = Claims::default();
+    let claims = json!({
+        "sub": user_id,
+        "resource_access": {
+            "client1": {
+                "roles": ["test1"],
+            },
+            "client2": {
+                "roles": ["test2"],
+            },
+        },
+        // Defaults
+        "exp": default.exp.timestamp(),
+        "iss": default.iss,
+        "aud": "some-aud",
+        "iat": default.iat.timestamp(),
+        "jti": default.jti,
+        "azp": default.azp,
+    });
+    let jwt = encode(
+        &Header::new(Algorithm::RS256),
+        &claims,
+        &EncodingKey::from_rsa_pem(KEYCLOAK_KEY.as_bytes()).unwrap(),
+    )
+    .unwrap();
+    let req = test::TestRequest::with_uri("/private")
+        .header("Authorization", format!("Bearer {}", &jwt))
+        .to_request();
+    let resp = test::call_service(&mut app, req).await;
+
+    assert!(resp.status().is_success());
+    let body = test::read_body(resp).await;
+    assert_eq!(body, Bytes::from(user_id.to_string()));
+}