Match a claim in an array of objects using Apache and the auth_openidc module

[dleborgne]

I use Apache HTTP Server 2.4.62 on Rocky Linux 9 with auth_openidc module 2.4.10. In the ID token, our OpenID Connect identity provider returns a memberOf claim that looks like :

{
  "name": "...",
  "memberOf": {
    "elements": [
      {
        "type": 2,
        "integer": 0,
        "object": {
          "string": "PRD_SUPERVISOR"
        },
        "name": null,
        "expanded": false
      },
      {
        "type": 2,
        "integer": 0,
        "object": {
          "string": "UAT_OPERATOR"
        },
        "name": null,
        "expanded": false
      }
    ],
    "length": 2
  },
  "sn": "..."
}

On the production environment, I would like to authorize the user only if he/she belongs to the PRD_SUPERVISOR, PRD_OPERATOR ou PRD_ADMINISTRATOR group.
I tried the following configuration directives :

Require claim memberOf.elements.object.string~(PRD_OPERATOR|PRD_SUPERVISOR|PRD_ADMINISTRATOR)

It fails with could not match require claim expression 'memberOf.elements.object.string~(PRD_OPERATOR|PRD_SUPERVISOR|PRD_ADMINISTRATOR)'. I guess this may be caused by elements being an array.

The Authorization page in the mod_auth_openidc Wiki provides an example of how to deal with arrays of strings, but I could find how to proceed with arrays of objects like elements.

[zandbelt]

this type of complex expressions is only possible when compiled with libjq support, see https://github.com/OpenIDC/mod_auth_openidc/wiki/Authorization#complex-expressions