Skip to content

allow using different field as identifier, configurable per idp#5556

Draft
jessegeens wants to merge 3 commits intorelease-3.7from
feat/lw-acls-email
Draft

allow using different field as identifier, configurable per idp#5556
jessegeens wants to merge 3 commits intorelease-3.7from
feat/lw-acls-email

Conversation

@jessegeens
Copy link
Copy Markdown
Contributor

@jessegeens jessegeens commented Mar 25, 2026

For having CERN users keep sub, external users use email:

  [grpc.services.authprovider.auth_managers.oidc]                                                                                                                                                                                                                                                                           
  default_id_claim = "email"

  [grpc.services.authprovider.auth_managers.oidc.idp_to_id_claim]                                                                                                                                                                                                                                                           
  "f3700f7d-85b5-4b29-b6b4-987522ac9ea6" = "sub"

@update-docs
Copy link
Copy Markdown

update-docs bot commented Mar 25, 2026

Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes.

@jessegeens jessegeens force-pushed the release-3.7 branch 2 times, most recently from fc19a42 to f72abec Compare March 30, 2026 09:14
dependabot bot and others added 2 commits March 30, 2026 13:36
@dependabot @jessegeens
Add support for span collection in tracing interceptor
26e9c8e
@jessegeens
Refactor eosfs auth
96c7d44 
* Use a (configurable) dedicated service account for accesses made by external accounts,
  instead of impersonating the owner or using a token
* Renamed the different types of auth to be more clear (e.g. cboxAuth became systemAuth)
* Added a `InvalidAuthorization` to be returned instead of an empty auth; because empty auth maps to the system user (which is a sudo'er)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@glpatcern glpatcern Awaiting requested review from glpatcern glpatcern will be requested when the pull request is marked ready for review glpatcern is a code owner

@diocas diocas Awaiting requested review from diocas diocas will be requested when the pull request is marked ready for review diocas is a code owner

@rawe0 rawe0 Awaiting requested review from rawe0 rawe0 will be requested when the pull request is marked ready for review rawe0 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jessegeens