Uploaded image for project: 'Couchbase Mobile'
  1. Couchbase Mobile
  2. CM-99

Recognize JWT claims within Sync Gateway for access grants

    XMLWordPrintable

Details

    Description

      For OIDC based auth, support the ability to map SGW roles and channels to JWT claims. This simplifies OIDC  deployments by avoiding the need for a separate backend service that needs to handle user registration, and to assign access grants (statically via REST API or dynamically via an access grants document).  Aligning SGW access grants with OIDC claims is also a logical fit because it would very likely be the case that when using OIDC authentication that the claims would correspond to the access grants (like mapping LDAP groups to roles)

       

      At basic level, support a config option on SGW that allows user to define the JWT claim to use for channels or user roles (similar to mapping of username_claim). On user creation, the corresponding grants are assigned. 

      In v2 of this feature, having a OIDC token claims parser JS function in sync gateway to handle custom processing of claims can be considered. 

      Access grant revocation implications need to be considered in this context.

      https://forums.couchbase.com/t/openid-implicit-flow-authorized-user-cant-pull-from-syncgateway-couchbase/27511/2

      https://forums.couchbase.com/t/sync-gateway-openid-implicit-flow-users-roles/16635

       

      This enhancement will be important in the context of Capella to simplify user registration process as part of OIDC workflow. 

      Attachments

        Issue Links

          Activity

            People

              iveta.dulova Iveta Dulova
              priya.rajagopal Priya Rajagopal
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                PagerDuty