Details
-
Feature
-
Status: Released (View Workflow)
-
Minor
-
Resolution: Fixed
-
None
-
None
-
None
Description
Current Situation
- The OIDC Identity Service requires to specify user accounts that can make use of the service.
- The user accounts are assigned roles in JOC Cockpit.
Desired Behavior
- A second flavor of the OIDC Identity Service is desired that works without specifying user accounts and role/group assignments.
- Instead, the Identity Provider's authentication endpoint can be used that provides the information about policies/roles assigned a given user account. This is a claim in the id-token.
- As it depends on the id-token configuration what claims are available, a list of claims can be configured. All items will be merged to a list of groups/roles that can be mapped with the roles coming from the Identity Service.
- The OIDC Identity Service offers settings to map OIDC policies/roles to JS7 roles. (This works similar to the mapping of security groups to roles in the existing LDAP Identity Service).
- For this flavor of the OIDC Identity Service no user accounts are specified as the mapping to roles is performed automatically during authentication.