Basic JWT #6
Description
The service doesn't need to verify a JWT, but in order to be compatible with Madoc's auth system it should have a mechanism to parse and do 2 things if possible:
- Sandbox based on issuer (madoc site id)
- Reject requests if scope does not exist - could be configurable (madoc default:
site.adminfor reading and writing andsite.viewfor reading)
The JWT parser included in Django should be enough, and then have the issuer (iss) and scope (scope) extracted and checked.
Additionally - since the search is sometimes called by an external service you may want to enforce sandboxing using an optional header. Will not detail, but if we run into issues we might need it. The header is not standardised and is a little too tied to madoc.