[SERVER-81631] Make authorizationClaim OIDC IdP configuration field optional Created: 02/Oct/23 Updated: 12/Dec/23 Resolved: 09/Nov/23 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 7.3.0-rc0, 7.2.0-rc2, 7.0.5 |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Varun Ravichandran | Assignee: | Varun Ravichandran |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | pm-3513 | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||
| Backport Requested: |
v7.2, v7.0
|
||||||||||||||||
| Sprint: | Security 2023-10-16, Security 2023-10-30, Security 2023-11-13 | ||||||||||||||||
| Participants: | |||||||||||||||||
| Description |
|
Today, the authorizationClaim field of the OIDC IdP configuration is mandatory, and the server expects this claim to exist in all access tokens that are presented to it for authentication. It is used to determine the direct set of groups that the user is a member of, which are then mapped to MongoDB roles. This ticket will introduce a new IdP configuration field called useAuthorizationClaim that is defaulted to true. When it is toggled to false, authorizationClaim will be optional and the server will instead authorize the user via a user document if it is not specified. |