From 202140b0c3dbd9b158cbdce47c2ab23e72b03e7e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Friedrich=20Dreyer?= Date: Tue, 11 Aug 2020 11:36:36 +0200 Subject: [PATCH] add `ocis.id` and numeric id claims MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jörn Friedrich Dreyer --- changelog/unreleased/add-ocisid-claim.md | 7 +++++++ oidc/claims.go | 10 ++++++++++ 2 files changed, 17 insertions(+) create mode 100644 changelog/unreleased/add-ocisid-claim.md diff --git a/changelog/unreleased/add-ocisid-claim.md b/changelog/unreleased/add-ocisid-claim.md new file mode 100644 index 000000000..10bad004a --- /dev/null +++ b/changelog/unreleased/add-ocisid-claim.md @@ -0,0 +1,7 @@ +Enhancement: add `ocis.id` and numeric id claims + +We added an `ocis.id` claim to the OIDC standard claims. It allows the idp to send a stable identifier that can be exposed to the outside world (in contrast to sub, which might change whens the IdP changes). + +In addition we added `uidnumber` and `gidnumber` claims, which can be used by the IdP as well. They will be used by storage providers that integrate with an existing LDAP server. + +https://github.com/owncloud/ocis-pkg/pull/50 diff --git a/oidc/claims.go b/oidc/claims.go index 3292b6259..666e61461 100644 --- a/oidc/claims.go +++ b/oidc/claims.go @@ -170,4 +170,14 @@ type StandardClaims struct { // TODO add address claim https://openid.net/specs/openid-connect-core-1_0.html#AddressClaim Address map[string]interface{} `json:"address,omitempty"` KCIdentity map[string]string `json:"kc.identity,omitempty"` + + // To integrate with an existing LDAP server the IdP can send the numeric user and group id: + + // UIDNumber is a unique numerical id that will be used when setting acls on a storage that integrates with the OS/LDAP + UIDNumber string `json:"uidnumber,omitempty"` + // GIDNumber is a unique numerical id that will be used when setting acls on a storage that integrates with the OS/LDAP + GIDNumber string `json:"gidnumber,omitempty"` + + // OcisID is a unique, persistent, non reassignable user id + OcisID string `json:"ocis.id,omitempty"` }