Select first value in multi-valued claim

Question

Select first value in multi-valued claim

mrvanes opened this issue a year ago · comments

Our IdP sends uid claim as a multi-valued claim containing only one single value:

"uid": [
  "foobar"
]

Multi-valued claims are mapped to comma-separated quoted strings, so the resulting header value is "foobar" (including the quotes).
This is correct from the multi-value perspective, but sending this claim upstream through a reverse proxy causes a mismatch on the uid.
I would like to have a way to select the 1st value of a multi-valued claim, so that it is returned without quotes.

Something like this syntax would suffice:
auth_request_set $uid $upstream_http_x_vouch_idp_claims_uid_0;

Work-around: I currently solved this using an NGINX map and using $xuid in the upstream headers

map $uid $xuid {
        ~^\"(.+)\" $1;
        default '';
}

Benjamin Foote commented a year ago

see #423

Benjamin Foote · Answer 1 · Sun Jul 09 2023 23:52:41 GMT+0800 (China Standard Time)

@mrvanes I think your use of NGINX in this case to clean data is the right one. VP having consistent behavior seems appropriate. Some folks have spaces in their data, hence the quotes.

Martin · Answer 2 · Mon Jul 10 2023 02:07:41 GMT+0800 (China Standard Time)

Thanks, but that answers only part of my question. The suggestion was to add a selector by post-fixing the claim name with e.g. _0 or :0 to select the unquoted first value. It would make life much easier for everyone.

Benjamin Foote · Answer 3 · Mon Jul 10 2023 02:23:44 GMT+0800 (China Standard Time)

@mrvanes my apologies to you for not clearly saying NO I'd prefer not to do this. If your claim is returned as a list or even just as a string, expect it to be quoted as it traverses http headers. There is other issues here which clarify the standards including http headers and json and my reasoning. This is asked and answered. My apologies for not taking the time to reference those issues directly at this time.