Details
-
Improvement
-
Resolution: Fixed
-
Major
-
None
-
Security Level: Public
-
None
-
CBG Sprint 52
-
8
Description
When authenticating incoming OIDC tokens, Sync Gateway currently treats the username as [user_prefix]_[subject]. By default user_prefix is the issuer, but can be customized in the Sync Gateway provider config. Subject is always the sub claim in the token.
In some OIDC implementations, users would like to specify a claim other than subject to use as the Sync Gateway username. To support this, we add a new 'username_claim' config property to Sync Gateway's provider config, with the following behaviour:
- If username_claim is set but user_prefix is not set, use that claim as the Sync Gateway username.
- If username_claim is set and user_prefix is also set, use [user_prefix]_[username_claim] as the Sync Gateway username.
- If username_claim is not set and user_prefix is set, use [user_prefix]_[subject] as the Sync Gateway username (existing behaviour).
- If neither username_claim nor user_prefix are set, use [issuer]_[subject] as the Sync Gateway username (existing behaviour).
Attachments
Issue Links
- blocks
-
CM-439 Support using custom OIDC claim as Sync Gateway username
- Done