Details
-
New Feature
-
Resolution: Done
-
Major
-
None
-
None
Description
For OIDC based auth, support the ability to map SGW roles and channels to JWT claims. This simplifies OIDC deployments by avoiding the need for a separate backend service that needs to handle user registration, and to assign access grants (statically via REST API or dynamically via an access grants document). Aligning SGW access grants with OIDC claims is also a logical fit because it would very likely be the case that when using OIDC authentication that the claims would correspond to the access grants (like mapping LDAP groups to roles)
At basic level, support a config option on SGW that allows user to define the JWT claim to use for channels or user roles (similar to mapping of username_claim). On user creation, the corresponding grants are assigned.
In v2 of this feature, having a OIDC token claims parser JS function in sync gateway to handle custom processing of claims can be considered.
Access grant revocation implications need to be considered in this context.
https://forums.couchbase.com/t/sync-gateway-openid-implicit-flow-users-roles/16635
This enhancement will be important in the context of Capella to simplify user registration process as part of OIDC workflow.
Attachments
Issue Links
- is blocked by
-
CBG-2064 Allow mapping OIDC claims to user roles/channels
- Closed