validate non-oauth JWT

[hmoffatt]

I'm trying to verify the user identity when using Cloudflare Zero Trust. Cloudflare is sending the identity in a JWT in a Cf-Access-Jwt-Assertion header, as documented here: https://developers.cloudflare.com/cloudflare-one/identity/authorization-cookie/validating-json/

Although this module is named around oauth2, it seems like I can use it to validate any JWT passed in. I configured it as follows and it seems to be validating the CF JWT as expected:

AuthType oauth2
OAuth2TokenVerify jwks_uri https://mycompany.cloudflareaccess.com/cdn-cgi/access/certs
OAuth2AcceptTokenIn header name=Cf-Access-Jwt-Assertion&type=
OAuth2TargetPass remote_user_claim=email

Firstly, is this a supported use?

Secondly, is there a way to set the expected ISS and AUD values when using jwks_uri so that I can verify those claims?

Many thanks.

[zandbelt]

this is a support use case, however there's no way to extend the jwks_uri validation with iss and aud; iss validation applies only when using OAuth 2.0 compliant OAuth2TokenVerify metadata

one could configure Require oauth2_claim aud:<value etc.

[hmoffatt]

Great, thanks. Does this work with aud being a list?

[zandbelt]

yes, one should be able to match string values in a JSON array

[hmoffatt]

Yes it works, thanks. I used require valid-user and require outh2_claim aud:... inside <RequireAll>.