extract claim from within object

[hmoffatt]

The Cloudflare access JWT (as discussed in #66) has custom claims inside a "custom" object, for example as below.

Is there a configuration syntax where I can

1. extract custom.preferred_username as the remote username (OAuth2TargetPass remote_user_claim=custom.preferred_username didn't seem to work)?
2. require roles from within custom.roles?

{
  "aud": [
    "..."
  ],
  "exp": 1728117214,
  "iat": 1728030814,
  "nbf": 1728030814,
  "iss": "...",
  "custom": {
    "preferred_username": "hamish",
    "roles": [
      "admin_user"
    ]
  },

[hmoffatt]

The "custom" claim is in the original JWT, but not in the token in the OAUTH2_CLAIM_access_token. Do I need to do something extra to enable this clam?

[zandbelt]

nested claims are not (yet) supported in the remote_user_claim configuration; the OAUTH2_CLAIM_access_token should be the exact token as it was received

[hmoffatt]

Sorry yes the tokens do match. Can I require oauth2_claim ... on a nested claim? What would be the syntax for that? Unfortunately I have no control over the format.

[hmoffatt]

To answer my own question, require oauth2_claim custom.roles:admin_user worked against the token I showed above.