[GitHub] [druid] bitsofdave commented on pull request #8992: druid extension for OpenID Connect auth using pac4j lib

[GitBox <gi...@apache.org>]

bitsofdave commented on PR #8992:
URL: https://github.com/apache/druid/pull/8992#issuecomment-1088875354

   @himanshug For configuring authorizations using the `MyBasicMetadataAuthorizer` in your example above, do you have to use the `sub` attribute to identify a user? 
   
   For example, my OIDC provider returns something like the following profile:
   ```
   profile: #OidcProfile# | id: <id> | attributes: {..., sub=<sub>, ..., preferred_username=<email_address>, ..., given_name=<name>, ..., name=<name>, ..., email=<email>, ...} | roles: [] | permissions: [] | isRemembered: false 
   ```
   I can create a druid basic user with name `<sub>` and assign a druid basic security role to it. This seems to work fine.
   
   What I would like to do is create the druid basic user using another attribute such as `<email>` and assign a druid basic security role to it. When I've tried this, the user I'm logged in as doesn't get any permissions since I'm being identified by `<sub>`. I'm not sure how to change it to use another field.
   
   Another option, even preferred, is to use `roles` in the response and assign permissions to them, similar to LDAP group mappings. Is this possible with this extension?
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org