doc: add example for authorization checks based on introspection resp…

…onse
smartive · Aug 26, 2024 · 664fc32 · 664fc32
1 parent c16b470
commit 664fc32
Showing 1 changed file with 28 additions and 0 deletions.
diff --git a/src/oidc/introspection/mod.rs b/src/oidc/introspection/mod.rs
@@ -36,6 +36,34 @@ custom_error! {
 ///   `resource_owner_` are set.
 /// - When scope contains `urn:zitadel:iam:user:metadata`, the metadata hashmap will be
 ///   filled with the user metadata.
+///
+/// It can be used as a basis for further customized authorization checks, for example:
+/// ```
+/// use zitadel::axum::introspection::IntrospectedUser;
+/// use zitadel::oidc::introspection::ZitadelIntrospectionExtraTokenFields;
+///
+/// enum Role {
+///   Admin,
+///   Client
+/// }
+///
+/// trait MyAuthorizationChecks {
+///     fn has_role(&self, role: Role, org_id: &str) -> bool;
+/// }
+///
+/// impl MyAuthorizationChecks for ZitadelIntrospectionExtraTokenFields {
+///     fn has_role(&self, role: Role, org_id: &str) -> bool {
+///         let role = match role {
+///             Role::Admin => "Admin",
+///             Role::Client => "Client",
+///         };
+///         self.project_roles.as_ref()
+///             .and_then(|roles| roles.get(role))
+///             .map(|org_ids| org_ids.contains_key(org_id))
+///             .unwrap_or(false)
+///     }
+/// }
+/// ```
 #[derive(Clone, Debug, Serialize, Deserialize, Default)]
 pub struct ZitadelIntrospectionExtraTokenFields {
     pub name: Option<String>,