Add support for roles to be obtained from JWTs. (#2694)

Add support for roles to be obtained from JWTs

2 files changed, 4 insertions, 2 deletions

diff --git a/src/couch/src/couch_httpd_auth.erl b/src/couch/src/couch_httpd_auth.erl
index f5387d18f..4ad205255 100644
--- a/src/couch/src/couch_httpd_auth.erl
+++ b/src/couch/src/couch_httpd_auth.erl
@@ -198,7 +198,8 @@ jwt_authentication_handler(Req) ->
                     case lists:keyfind(<<"sub">>, 1, Claims) of
                         false -> throw({unauthorized, <<"Token missing sub claim.">>});
                         {_, User} -> Req#httpd{user_ctx=#user_ctx{
-                            name=User
+                            name = User,
+                            roles = couch_util:get_value(<<"roles">>, Claims, [])
                         }}
                     end;
                 {error, Reason} ->
diff --git a/test/elixir/test/jwtauth_test.exs b/test/elixir/test/jwtauth_test.exs
index 3f26e1eaf..dc3d27df4 100644
--- a/test/elixir/test/jwtauth_test.exs
+++ b/test/elixir/test/jwtauth_test.exs
@@ -103,13 +103,14 @@ defmodule JwtAuthTest do
   end
 
   def test_fun(alg, key) do
-    {:ok, token} = :jwtf.encode({[{"alg", alg}, {"typ", "JWT"}]}, {[{"sub", "couch@apache.org"}]}, key)
+    {:ok, token} = :jwtf.encode({[{"alg", alg}, {"typ", "JWT"}]}, {[{"sub", "couch@apache.org"}, {"roles", ["testing"]}]}, key)
 
     resp = Couch.get("/_session",
       headers: [authorization: "Bearer #{token}"]
     )
 
     assert resp.body["userCtx"]["name"] == "couch@apache.org"
+    assert resp.body["userCtx"]["roles"] == ["testing"]
     assert resp.body["info"]["authenticated"] == "jwt"
   end