Add new authorization strategy that works with OIDC (e.g. Keycloak)

The use case for this is to use [tokens from CERN's SSO](https://auth.docs.cern.ch/user-documentation/oidc/config/) (Keycloak) with [SWAN](https://swan.cern.ch), by mapping users based on the `username_claim` (`cern_upn`, for example, in the CERN SSO tokens). One could imagine also configuring access based on other online accounts such as from Google, GitHub, etc.

The idea which we discussed offline is to add a new authorization strategy in scitokens-cpp that would allow to map tokens to users directly, without a mapfile (which seems to be currently required for the existing `mapping` authorization strategy). The new strategy could simply check for `openid` scope, and map `sub` or the `username_claim` to the user name. If a strategy to support [OAuth2](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12) is possible, that would be even better.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Add new authorization strategy that works with OIDC (e.g. Keycloak) #147

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Add new authorization strategy that works with OIDC (e.g. Keycloak) #147

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions