-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Map Userinfo and id_token claims to HTTP headers #373
Comments
Here is original Mike's wireframe: @nynymike |
Yes it would simplest to iterate through the claims. It would also be nice if you could provide a way to do a claims mapping. In the mapping, I think using |
It looks for me too complex. Meg created draft config schema and it looks very big and complicated.
I would prefer to create some universal solution and don't have hardcoded entry for some particular header/data pairs. Let me some time, I will try to design it. |
Proposed schema:
Below is example JSON:
Current implementation is hardcoded to set 2 headers: local new_headers = {
["X-OpenId-Connect-idtoken"] = encode_base64(cjson.encode(id_token)),
["X-OpenId-Connect-userinfo"] = encode_base64(cjson.encode(session_data.userinfo))
} We may provide some defaults in UI for things like above, but an admin will be able to fully customize headers set. IMO we may use this microframework not only for OpenID Connect plugin, but everywhere we need to set any headers, of course the environment would be different. |
Ok, so admin should have to use |
No, we will document, which values are set in the environment. |
We may send access_token obtained from OP to upstream service in a header, for example, mod_auth_openidc is able to do it. |
It would be nice if we can send the access token, but it should be off by default. |
Ok, Created another issue for it #382 |
GG admins should be able to map distinct HTTP headers to claims in the id_token and Userinfo JWT. The admin should be able to set the name of the HTTP header. The value of the header should be string if it's single value, and a JSON array if it's multi-value. If no claim is present in the token, omit the header.
This feature is needed to maintain behavior with legacy WAM platforms.
The text was updated successfully, but these errors were encountered: