[
https://issues.apache.org/jira/browse/SOLR-16171?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jan Høydahl updated SOLR-16171:
-------------------------------
Description:
Now, the config parameters "principalClaim" and "rolesClaim" are condfigured
globally per JWT plugin in security.json. But each JWT instance supports
validating access tokens from multiple IDPs (issuers), and two different
issuers may use different JWT claims for e.g. the user role, so these should
optionally be configurable per issuer.
Furthermore, an issuer may not have any claims suitable for mapping to a Solr
"role". Thus there should be a per-issuer configuration that can translate/map
roles from a certain issuer to solr-supported roles, and even add static roles
that every valid token from that IDP should be granted.
Suggestion:
{code:java}
staticRoles: ["foo", "bar"]
roleMapping: [{"from":"foo", "to":"bar"},
{"from":"prefix-(\w+)","to":"$1"}]{code}
The 'staticRoles' would be added to existing roles, while roleMapping would
provide a tool to massage roles from claim/scope into some role defined in
security.json. By providing a regex matching, this would solve most needs.
was:Now, the config parameters "principalClaim" and "rolesClaim" are
condfigured globally per JWT plugin in security.json. But each JWT instance
supports validating access tokens from multiple IDPs (issuers), and two
different issuers may use different JWT claims for e.g. the user role, so these
should optionally be configurable per issuer.
> JWT plugin support more config per issuer
> -----------------------------------------
>
> Key: SOLR-16171
> URL: https://issues.apache.org/jira/browse/SOLR-16171
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Authentication
> Reporter: Jan Høydahl
> Assignee: Jan Høydahl
> Priority: Major
>
> Now, the config parameters "principalClaim" and "rolesClaim" are condfigured
> globally per JWT plugin in security.json. But each JWT instance supports
> validating access tokens from multiple IDPs (issuers), and two different
> issuers may use different JWT claims for e.g. the user role, so these should
> optionally be configurable per issuer.
> Furthermore, an issuer may not have any claims suitable for mapping to a Solr
> "role". Thus there should be a per-issuer configuration that can
> translate/map roles from a certain issuer to solr-supported roles, and even
> add static roles that every valid token from that IDP should be granted.
> Suggestion:
> {code:java}
> staticRoles: ["foo", "bar"]
> roleMapping: [{"from":"foo", "to":"bar"},
> {"from":"prefix-(\w+)","to":"$1"}]{code}
> The 'staticRoles' would be added to existing roles, while roleMapping would
> provide a tool to massage roles from claim/scope into some role defined in
> security.json. By providing a regex matching, this would solve most needs.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
