Details
-
Improvement
-
Resolution: Fixed
-
Major
-
None
-
Security Level: Public
-
None
-
CBG Sprint 98, CBG Sprint 99
-
8
Description
Sync Gateway already has the username_claim config option for OIDC to allow mapping a claim other than sub to use as the username.
Add two new options, channels_claim and roles_claim to perform a similar mapping for channels and roles respectively. These claims must be either string or []string.
These should be in addition to any roles/channels granted through admin_channels and/or admin_roles. They should be cached on the user document so that we don't need to perform OIDC authorization on each request. (An open question is how to handle these when a user first signs in through OIDC, then through basic auth - should the OIDC channels/roles be revoked?).
Attachments
Issue Links
- blocks
-
CM-99 Recognize JWT claims within Sync Gateway for access grants
- Done