Uploaded image for project: 'Couchbase Gateway'
  1. Couchbase Gateway
  2. CBG-905

Support using custom OIDC claim as Sync Gateway username

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Fixed
    • Major
    • 2.8.0
    • None
    • SyncGateway
    • Security Level: Public
    • None
    • CBG Sprint 52
    • 8

    Description

      When authenticating incoming OIDC tokens, Sync Gateway currently treats the username as [user_prefix]_[subject].  By default user_prefix is the issuer, but can be customized in the Sync Gateway provider config.  Subject is always the sub claim in the token.

      In some OIDC implementations, users would like to specify a claim other than subject to use as the Sync Gateway username.  To support this, we add a new 'username_claim' config property to Sync Gateway's provider config, with the following behaviour:

      1. If username_claim is set but user_prefix is not set, use that claim as the Sync Gateway username.
      2. If username_claim is set and user_prefix is also set, use [user_prefix]_[username_claim] as the Sync Gateway username.
      3. If username_claim is not set and user_prefix is set, use [user_prefix]_[subject] as the Sync Gateway username (existing behaviour).
      4. If neither username_claim nor user_prefix are set, use [issuer]_[subject] as the Sync Gateway username (existing behaviour).

      Attachments

        Issue Links

          Activity

            People

              sarath.kumarsivan Sarath Kumar Sivan (Inactive)
              adamf Adam Fraser
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                PagerDuty