New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC integration should support arbitrary claims for authorization subjects #512
Comments
Is there any advance in this topic? |
No, we don't have that on our short term agenda currently. |
Just to get the issue clear. Is the aim to get arbitrary claims as the authorization subject or should the claims be used otherwise, also? |
I think the idea behind this was to provide configuration on how (multiple) authorization subjects would be generated from the claims of a JWT. So basically a mini-DSL for generating the subjects. So just a small example to clarify what I think this means:
and a configuration for the issuer
|
In my understanding the main goal is to support e.g. roles and group claims in subjects such that I may add a OIDC role or group to a policy entry instead of a user id. This would already be much more flexible and allow access management being made from e.g. keycloak instead of ditto policies directly. With this I could write policy entries reflecting roles and add these roles to users to give them more capabilites. Apart from that your idea @ffendt sounds interesting. Could you elaborate a bit more about the use-case that this could enable? I don't have a good feeling about what possibilities this would open up ;) |
This is an interesting topic and I see two different tasks in it. I agree with @ffendt in the sense that in some systems it may be preferable to use e.g. the email instead of the subject e.g. for consistency with other systems. |
I'm not sure what the benefit of having METADATA is vs sticking to the already existing mechanism of multiple auth subjects. If I understood @ffendt correctly you could do the same thing by using the subjects.
If I got this idea right, it allows to configure any structure of the subject that will be generated. This means you could for example configure [-sub+][scp] which would then generate the following list of subjects:
This way you also have a subject which reflects only the role (admin and user) taken from the scp. Did I miss something of your approach @JulianFeinauer? |
It took me a moment to fully understand the described approach of @ffendt and I think it's a solid approach! So one of the next steps then is to propose a actual DSL for this then? Some ideas / implementation notes: As additional note about the nature of claims: they are auth provider dependent and since they are JSON could have any type such as If the value of a claim is a list we can assume to use all it's contents for the auth subjects. No need to specify it explicitly with |
I agree on that. Regarding the DSL: yes, that one would have to be defined. I just searched if there already is a standard/library for defining such things, but I didn't find any. So I guess defining our own DSL and parser would be the best option. |
The DSL would be part of the openid-connect-issuers configuration in "gateway.conf" (and could be specified/overwritten via environment variable or system property). I guess it would make sense to "break" the config format in order to e.g. define for a issuer - so change from plain string to object in the config. In order to start simple, I would suggest:
Example config:
Example token: {
"sub": "ffendt",
"client_id": "ditto-users",
"scp": [
"user",
"admin"
],
"roles": {
"support": [
"call-center-agent",
"support.admin"
]
}
} Example extracted auth subjects (to be used in policy "subjects"):
WDYT? Could this be a simple start already solving 80% of the use cases? |
This looks very good @thjaeckle . Woudl at least solve 100% of my use cases (use email and probably use roles / groups). 👍 |
@thjaeckle I'd like a shorter config option. Just throwing in some ideas:
My favorit being simply |
Yes, I think fixed subjects would "automatically" be supported if you don't use the |
I like your approach @thjaeckle, but I have a little issue with the placeholder syntax. I would prefer braces style that we use in connectivity configuration. Maybe even with a type declaration (string/array).
|
@jokraehe that syntax is also good for me 👍 Another proposal, use "json" or "claim" as prefix:
|
I had that exact same thought on the prefix 👍 |
I think we reached an agreement on the format (I updated the summary accordingly). Implementation hints:
|
Hi, |
@oscarfh not that I am aware of. |
Ok, thanks a lot for the feedback, @thjaeckle ! |
The current implementation reads the "sub" claim only to create authorization subjects from a JSON web token. We should provide configuration options to support any claims.
Implementation suggestion (see below for discussion how we got there) for the configuration "syntax":
The text was updated successfully, but these errors were encountered: