Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
Now, the config parameters "principalClaim" and "rolesClaim" are condfigured globally per JWT plugin in security.json. But each JWT instance supports validating access tokens from multiple IDPs (issuers), and two different issuers may use different JWT claims for e.g. the user role, so these should optionally be configurable per issuer.
Furthermore, an issuer may not have any claims suitable for mapping to a Solr "role". Thus there should be a per-issuer configuration that can translate/map roles from a certain issuer to solr-supported roles, and even add static roles that every valid token from that IDP should be granted.
Suggestion:
staticRoles: ["foo", "bar"] roleMapping: [{"from":"foo", "to":"bar"}, {"from":"prefix-(\w+)","to":"$1"}]
The 'staticRoles' would be added to existing roles, while roleMapping would provide a tool to massage roles from claim/scope into some role defined in security.json. By providing a regex matching, this would solve most needs.