You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
To make the new OpenID Connect feature (from ditto 1.0.0-M1) more useful there should be a way to configure or use groups and roles supplied within the JWT provided by the OpenID Connect-provider for checks against the subjects of a policy.
An example provider featuring claims specifically for authorization purposes is keycloak where you may receive groups and roles assigned to an authenticated user.
According to my conversation with @jokraehe about the OpenID Connect feature it is currently not possible to use other information provided in the JWT then the subject-claim within a policies subject.
Proposal
I propose to make it possible via configuration of an OpenID Connect provider in the gateway service to set a different claim as the used subject claim.
If the selected claim is a string, it should be used as is.
If the selected claim is an array, it should be treated as multiple subjects in a policy.
If it's something else it should be ignored an error logged.
I think this would be a fairly easy way of enhancing the OpenID Connect capability without implementing a whole client. The client may follow in a subsequent approach.
Why
Being able to use another claim from the JWT increases flexibility and enables different scenarios e.g. role based policy management. It also hands over more control to authorization to the OpenID Connect provider, which in case of keycloak would be a desired state.
What do you guys think?
Implementation
If I find myself some spare time I'd like to start implementing this - Where should I start and what are likely issues I'll encounter on the way?
The text was updated successfully, but these errors were encountered:
To make the new OpenID Connect feature (from ditto 1.0.0-M1) more useful there should be a way to configure or use groups and roles supplied within the JWT provided by the OpenID Connect-provider for checks against the subjects of a policy.
An example provider featuring claims specifically for authorization purposes is keycloak where you may receive groups and roles assigned to an authenticated user.
According to my conversation with @jokraehe about the OpenID Connect feature it is currently not possible to use other information provided in the JWT then the subject-claim within a policies subject.
Proposal
I propose to make it possible via configuration of an OpenID Connect provider in the gateway service to set a different claim as the used subject claim.
I think this would be a fairly easy way of enhancing the OpenID Connect capability without implementing a whole client. The client may follow in a subsequent approach.
Why
Being able to use another claim from the JWT increases flexibility and enables different scenarios e.g. role based policy management. It also hands over more control to authorization to the OpenID Connect provider, which in case of keycloak would be a desired state.
What do you guys think?
Implementation
If I find myself some spare time I'd like to start implementing this - Where should I start and what are likely issues I'll encounter on the way?
The text was updated successfully, but these errors were encountered: