Uploaded image for project: 'Couchbase Gateway'
  1. Couchbase Gateway
  2. CBG-2064

Allow mapping OIDC claims to user roles/channels

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Fixed
    • Major
    • 3.1.0
    • None
    • SyncGateway
    • Security Level: Public
    • None
    • CBG Sprint 98, CBG Sprint 99
    • 8

    Description

      Sync Gateway already has the username_claim config option for OIDC to allow mapping a claim other than sub to use as the username.

      Add two new options, channels_claim and roles_claim to perform a similar mapping for channels and roles respectively. These claims must be either string or []string.

      These should be in addition to any roles/channels granted through admin_channels and/or admin_roles. They should be cached on the user document so that we don't need to perform OIDC authorization on each request. (An open question is how to handle these when a user first signs in through OIDC, then through basic auth - should the OIDC channels/roles be revoked?).

      Attachments

        Issue Links

          Activity

            People

              marks.polakovs Marks Polakovs (Inactive)
              marks.polakovs Marks Polakovs (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                PagerDuty