Skip to content

Commit

Permalink
Consider multiple token audiences in documentation (#758)
Browse files Browse the repository at this point in the history 
Co-authored-by: Obinna Ekwuno <[email protected]>
  • Loading branch information
@gguillemas @Ekwuno
gguillemas and Ekwuno authored Aug 20, 2024
1 parent c216a34 commit 2dbd59a
Showing 1 changed file with 6 additions and 2 deletions.
8 changes: 6 additions & 2 deletions ...realdb_versioned_docs/version-latest/surrealql/statements/define/access/jwt.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -244,14 +244,18 @@ The `AUTHENTICATE` clause allows you to define a custom expression that will be

#### Example: JWT User Authentication with Issuer and Audience Check

This example sets up additional token verification logic for a system user on a database using JSON Web Tokens (JWT) to authenticate. In this example, the HS512 algorithm is used to sign the token. The `AUTHENTICATE` block contains conditions to verify the token's validity: it checks that the issuer (`iss`) of the token is "surrealdb-test" and throws an error if it is not. Similarly, it checks that the audience (`aud`) of the token is "surrealdb-test" and throws an error if it is not. If both checks pass, the token is considered valid. The session duration is set to 2 hours.
This example sets up additional token verification logic for a system user on a database using JSON Web Tokens (JWT) to authenticate. In this example, the HS512 algorithm is used to sign the token. The `AUTHENTICATE` block contains conditions to verify the token's validity: it checks that the issuer (`iss`) of the token is "surrealdb-test" and throws an error if it is not. Similarly, it checks that the audience of the token (defined in the `aud` claim, which can be provided either as an array of strings or a single string) includes "surrealdb-test" and throws an error if it does not. If both checks pass, the token is considered valid. The session duration is set to 2 hours.

```surql
DEFINE ACCESS user ON DATABASE TYPE JWT
ALGORITHM HS512 KEY "sNSYneezcr8kqphfOC6NwwraUHJCVAt0XjsRSNmssBaBRh3WyMa9TRfq8ST7fsU2H2kGiOpU4GbAF1bCiXmM1b3JGgleBzz7rsrz6VvYEM4q3CLkcO8CMBIlhwhzWmy8"
AUTHENTICATE {
IF $token.iss != "surrealdb-test" { THROW "Invalid token issuer" };
IF $token.aud != "surrealdb-test" { THROW "Invalid token audience" };
IF type::is::array($token.aud) {
IF "surrealdb-test" NOT IN $token.aud { THROW "Invalid token audience" }
} ELSE {
IF $token.aud IS NOT "surrealdb-test" { THROW "Invalid token audience" }
};
}
DURATION FOR SESSION 2h;
```
Expand Down

0 comments on commit 2dbd59a

Please sign in to comment.