support token_user_id_claim option

Author: FZambia

go.sum

@@ -82,8 +82,6 @@ github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsI
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
 github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a h1:bbPeKD0xmW/Y25WS6cokEszi5g+S0QxI/d45PkRi7Nk=
 github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgx/v5 v5.5.3 h1:Ces6/M3wbDXYpM8JyyPD57ivTtJACFZJd885pdIaV2s=
-github.com/jackc/pgx/v5 v5.5.3/go.mod h1:ez9gk+OAat140fv9ErkZDYFWmXLfV+++K0uAOiwgm1A=
 github.com/jackc/pgx/v5 v5.5.4 h1:Xp2aQS8uXButQdnCMWNmvx6UysWQQC+u1EoizjguY+8=
 github.com/jackc/pgx/v5 v5.5.4/go.mod h1:ez9gk+OAat140fv9ErkZDYFWmXLfV+++K0uAOiwgm1A=
 github.com/jackc/puddle/v2 v2.2.1 h1:RhxXJtFG022u4ibrCSMSiu5aOq1i77R3OHKNJj77OAk=
@@ -228,8 +226,6 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.20.0 h1:jmAMJJZXr5KiCw05dfYK9QnqaqKLYXijU23lsEdcQqg=
-golang.org/x/crypto v0.20.0/go.mod h1:Xwo95rrVNIoSMx9wa1JroENMToLWn3RNVrTBpLHgZPQ=
 golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
 golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/exp v0.0.0-20230905200255-921286631fa9 h1:GoHiUyI/Tp2nVkLI2mCxVkOjsbSXD66ic0XW0js0R9g=
@@ -262,8 +258,6 @@ golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y=
-golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
 golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -287,8 +281,6 @@ google.golang.org/genproto/googleapis/api v0.0.0-20240123012728-ef4313101c80 h1:
 google.golang.org/genproto/googleapis/api v0.0.0-20240123012728-ef4313101c80/go.mod h1:4jWUdICTdgc3Ibxmr8nAJiiLHwQBY0UI0XZcEMaFKaA=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80 h1:AjyfHzEPEFp/NpvfN5g+KDla3EMojjhRVZc1i7cj+oM=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80/go.mod h1:PAREbraiVEVGVdTZsVWjSbbTtSyGbAgIIvni8a8CD5s=
-google.golang.org/grpc v1.62.0 h1:HQKZ/fa1bXkX1oFOvSjmZEUL8wLSaZTjCcLAlmZRtdk=
-google.golang.org/grpc v1.62.0/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE=
 google.golang.org/grpc v1.62.1 h1:B4n+nfKzOICUXMgyrNd19h/I9oH0L1pizfk1d4zSgTk=
 google.golang.org/grpc v1.62.1/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=

internal/cli/token.go

@@ -21,9 +21,15 @@ func GenerateToken(config jwtverify.VerifierConfig, user string, ttlSeconds int6
 		return "", fmt.Errorf("error creating HMAC signer: %w", err)
 	}
 	builder := jwt.NewBuilder(signer)
-	claims := jwt.RegisteredClaims{
-		Subject:  user,
-		IssuedAt: jwt.NewNumericDate(time.Now()),
+	claims := jwtverify.ConnectTokenClaims{
+		RegisteredClaims: jwt.RegisteredClaims{
+			IssuedAt: jwt.NewNumericDate(time.Now()),
+		},
+	}
+	if config.UserIDClaim != "" {
+		claims.UserID = user
+	} else {
+		claims.Subject = user
 	}
 	if ttlSeconds > 0 {
 		claims.ExpiresAt = jwt.NewNumericDate(time.Now().Add(time.Duration(ttlSeconds) * time.Second))
@@ -45,19 +51,21 @@ func GenerateSubToken(config jwtverify.VerifierConfig, user string, channel stri
 		return "", fmt.Errorf("error creating HMAC signer: %w", err)
 	}
 	builder := jwt.NewBuilder(signer)
-	claims := jwt.RegisteredClaims{
-		Subject:  user,
-		IssuedAt: jwt.NewNumericDate(time.Now()),
+	claims := jwtverify.SubscribeTokenClaims{
+		RegisteredClaims: jwt.RegisteredClaims{
+			IssuedAt: jwt.NewNumericDate(time.Now()),
+		},
+		Channel: channel,
+	}
+	if config.UserIDClaim != "" {
+		claims.UserID = user
+	} else {
+		claims.Subject = user
 	}
 	if ttlSeconds > 0 {
 		claims.ExpiresAt = jwt.NewNumericDate(time.Now().Add(time.Duration(ttlSeconds) * time.Second))
 	}
-	token, err := builder.Build(
-		jwtverify.SubscribeTokenClaims{
-			RegisteredClaims: claims,
-			Channel:          channel,
-		},
-	)
+	token, err := builder.Build(claims)
 	if err != nil {
 		return "", err
 	}

internal/jwtverify/token_verifier_jwt.go

@@ -23,6 +23,8 @@ import (
 	"github.com/rs/zerolog/log"
 )
 
+const alternativeUserIDClaim = "user_id"
+
 type VerifierConfig struct {
 	// HMACSecretKey is a secret key used to validate connection and subscription
 	// tokens generated using HMAC. Zero value means that HMAC tokens won't be allowed.
@@ -56,6 +58,11 @@ type VerifierConfig struct {
 	// IssuerRegex allows setting Issuer in form of Go language regex pattern. Regex groups
 	// may be then used in constructing JWKSPublicEndpoint.
 	IssuerRegex string
+
+	// UserIDClaim allows overriding default claim used to extract user ID from token. At this
+	// moment only "user_id" alternative claim is supported due to how tokens are parsed.
+	// By default, Centrifugo uses "sub".
+	UserIDClaim string
 }
 
 func (c VerifierConfig) Validate() error {
@@ -94,6 +101,7 @@ func NewTokenVerifierJWT(config VerifierConfig, ruleContainer *rule.Container) (
 		issuerRe:      issuerRe,
 		audience:      config.Audience,
 		audienceRe:    audienceRe,
+		userIDClaim:   config.UserIDClaim,
 	}
 
 	algorithms, err := newAlgorithms(config.HMACSecretKey, config.RSAPublicKey, config.ECDSAPublicKey)
@@ -122,6 +130,7 @@ type VerifierJWT struct {
 	audienceRe    *regexp.Regexp
 	issuer        string
 	issuerRe      *regexp.Regexp
+	userIDClaim   string
 }
 
 var (
@@ -180,6 +189,8 @@ type ConnectTokenClaims struct {
 	Channels   []string                    `json:"channels,omitempty"`
 	Subs       map[string]SubscribeOptions `json:"subs,omitempty"`
 	Meta       json.RawMessage             `json:"meta,omitempty"`
+	// UserID is only used instead of jwt.RegisteredClaims.Subject when explicitly configured.
+	UserID string `json:"user_id,omitempty"`
 	// Channel must never be set in connection tokens. We check this on verifying.
 	Channel string `json:"channel,omitempty"`
 	jwt.RegisteredClaims
@@ -191,6 +202,8 @@ type SubscribeTokenClaims struct {
 	Channel  string `json:"channel,omitempty"`
 	Client   string `json:"client,omitempty"`
 	ExpireAt *int64 `json:"expire_at,omitempty"`
+	// UserID is only used instead of jwt.RegisteredClaims.Subject when explicitly configured.
+	UserID string `json:"user_id,omitempty"`
 }
 
 type jwksManager struct{ *jwks.Manager }
@@ -579,13 +592,16 @@ func (verifier *VerifierJWT) VerifyConnectToken(t string, skipVerify bool) (Conn
 	}
 
 	ct := ConnectToken{
-		UserID:   claims.RegisteredClaims.Subject,
 		Info:     info,
 		Subs:     subs,
 		ExpireAt: expireAt,
 		Meta:     claims.Meta,
 	}
-
+	if verifier.userIDClaim != "" {
+		ct.UserID = claims.UserID
+	} else {
+		ct.UserID = claims.RegisteredClaims.Subject
+	}
 	return ct, nil
 }
 
@@ -736,6 +752,11 @@ func (verifier *VerifierJWT) VerifySubscribeToken(t string, skipVerify bool) (Su
 			Data:              data,
 		},
 	}
+	if verifier.userIDClaim != "" {
+		st.UserID = claims.UserID
+	} else {
+		st.UserID = claims.RegisteredClaims.Subject
+	}
 	return st, nil
 }
 
@@ -766,11 +787,11 @@ func (verifier *VerifierJWT) Reload(config VerifierConfig) error {
 			return fmt.Errorf("error compiling issuer regex: %w", err)
 		}
 	}
-
 	verifier.algorithms = alg
 	verifier.audience = config.Audience
 	verifier.audienceRe = audienceRe
 	verifier.issuer = config.Issuer
 	verifier.issuerRe = issuerRe
+	verifier.userIDClaim = config.UserIDClaim
 	return nil
 }