You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@couchdb.apache.org by Ronny Berndt <ro...@apache.org> on 2022/10/18 07:47:24 UTC
Re: [DISCUSS] Should roles_claim_name be marked as deprecated and replaced in favor of roles_claim_path
The feature is already included in main and I want to finish and add the documentation for it.
Are there any further hints and comments?
New PR at: https://github.com/apache/couchdb/pull/4232
Summary:
The question is, if we want to deprecate the old setting roles_claim_name and replace
it with roles_claim_path or do we want to have both settings in parallel with overlapping (sub-) functionality?
Cheers,
Ronny
> Am 01.09.2022 um 06:53 schrieb Nick Vatamaniuc <va...@gmail.com>:
>
> If RCPs have all the functionality of RCNs, I think it makes sense to
> deprecate RCNs.
>
> On Tue, Aug 30, 2022 at 9:02 AM Ronny Berndt <ro...@apache.org> wrote:
>>
>> Overview
>>
>> In a JWT token it is possible to add an attribute for role claims.
>> If the roles are presented as top-level attribute like
>>
>> {
>> "couchdb-roles": [
>> "my_role_1",
>> "my_role_2"
>> ]
>> }
>>
>> and setting the parameter roles_claim_name in the config file to
>>
>> [jwt_auth]
>> roles_claim_name = couchdb-roles
>>
>> CouchDB was able to read that attributed and take over that roles.
>> This doesn't work, if the claim roles are nested, eg:
>>
>> {
>> "my" :{
>> "nested": {
>> "couchdb-roles": [
>> "my_role_1",
>> "my_role_2"
>> ]
>> }
>> }
>> }
>>
>> To allow this and for backwards compatibility, a new config parameter `roles_claim_path`
>> is introduced to allow nested role claims. To allow the example from above, yo can use
>> the following syntax:
>>
>> [jwt_auth]
>> roles_claim_path = my.nested.couchdb-roles
>>
>> It is now possible to specify nested (& unnested "\." prevents interpreting as nested)
>> JSON paths in role_claim_path, like
>> roles_claim_path = foo.bar\.zonk.baz\.buu.baa.baa\.bee.roles which is equivalent to
>>
>> "foo": {
>> "bar.zonk": {
>> "baz.buu": {
>> "baa": {
>> "baa.bee": {
>> "roles": [
>> "my_nested_role_1",
>> "my_nested_role_2"
>> ]
>> }
>> }
>> }
>> }
>> }
>>
>> After merging the functionality with PR#4041 [3], I wanted to know, if we should
>> deprecated the existing parameter `roles_claim_name` (RCN) in favor of `roles_claim_path`
>> (RCP). RCP has all the functionality of RCN plus it allows nested & unnested JWT JSON
>> role claims. If `roles_claim_path` is defined, then `roles_claim_name` is ignored.
>>
>> In the docs PR#737, I already "marked" RCN as deprecated in the next version (3.3),
>> because RCP acts as successor of RCN. We could also remove the deprecation note and
>> have both options in CouchDB with overlapping functionality.
>>
>> What do you think?
>>
>> Related Issues or Pull Requests:
>>
>> #3758 [1]
>> #3166 [2]
>>
>> [1] https://github.com/apache/couchdb/issues/3758
>> [2] https://github.com/apache/couchdb/pull/3166
>> [3] https://github.com/apache/couchdb/pull/4041
>> [4] https://github.com/apache/couchdb-documentation/pull/737