Details
-
Improvement
-
Resolution: Done
-
Major
-
None
Description
When authenticating incoming OIDC tokens, Sync Gateway currently treats the username as [user_prefix]_[subject]. By default user_prefix is the issuer, but can be customized in the Sync Gateway provider config. Subject is always the sub claim in the token.
In some OIDC implementations, users would like to specify a claim other than subject to use as the Sync Gateway username. To support this, we add a new 'username_claim' config property to Sync Gateway's provider config, with the following behaviour:
- If username_claim is set but user_prefix is not set, use that claim as the Sync Gateway username.
- If username_claim is set and user_prefix is also set, use [user_prefix]_[username_claim] as the Sync Gateway username.
- If username_claim is not set and user_prefix is set, use [user_prefix]_[subject] as the Sync Gateway username (existing behaviour).
- If neither username_claim nor user_prefix are set, use [issuer]_[subject] as the Sync Gateway username (existing behaviour).
- If username_claim is set but the specified claim property does not exist in the token, then reject the token
- If the username associated with an OIDC subject changes, Sync Gateway does not maintain any connection between the previous user and the current user. If register=true, a new user will be created if it does not already exist. If register=false, the user must be created prior to successful authentication with the token
- The "username_claim" claim isn't guaranteed to be unique based on the OIDC token specification. If uniqueness is a requirement, that guarantee is the responsibility of the auth provider.
Attachments
Issue Links
- depends on
-
CBG-905 Support using custom OIDC claim as Sync Gateway username
- Closed