Extend Authx functionality to support validation of externally generated JWTs
Overview
We would like to extend AuthX's functionality so that it can validate JWTs generated/signed by third party systems. The motivation for this is that we use auth0 for authZ/authN with CiviCRM. We're building new applications that need to query Civi via its API as the user rather than as the client apps themselves.
Creating API keys for every user is not feasible. Accessing the AuthX-supported API endpoint and supplying a valid JWT for the user is what we're keen to implement.
Current behaviour
AuthX can validate JWTs that have been generated by the same CiviCRM installation.
Proposed behaviour
Implement code that dispatches a new Symfony event which would allow an extension to override how the scope and sub claims are validated by the AuthX framework (for example currently, if it doesn't start with cid
no claim can be validated).
This would make it possible to validate externally generated/signed JWTs.
Comments
Tim and I had a chat about this a while ago. That conversation proved the basis for writing up an implementation for this improvement. We'd love to see it reviewed, merged, etc. We'll raise a Pull Request accordingly and I'll update this Issue here with the link.
We've also written a CiviCRM extension that leverages this new functionality, to make it possible for people using auth0 as their IdP to use CiviCRM's API with user permissions.