Problem/Motivation

The fact to have to connect as an administrator to adjust roles (because they are blacklisted in the account creation) is bothering and not as smooth as it can be.
When the access token is a JWT it can contains roles (or likely "groups") claims which should be mappable automatically as drupal account roles (can be a role name -> drupal role mapping to start for example or something more implicit).
This would enable to have a fully auto provisioning of the user - updated for each login probably - and reduce admin pression/requirement.

A prerequisite is indeed to validate the JWT signature to ensure it can be trusted - there are other issues about it.

Steps to reproduce

Setup the plugin then log in with a JWT containing any specific role (even admin potentially) and then ensure this role is in the created account.

Proposed resolution

Implement the feature.

Remaining tasks

TODO.

User interface changes

Add a toggle to enable this feature,
Likely the JWT validation form (issuer, kid, typ, expiry, public key/pem - at least RS256 which seems the most used one).
Add the table mapping UI to configure the automatic role mapping.

API changes

Don't think it needs any since there is already a callback at the correct position to implement it so this issue is just about making it a built-in feature.

Data model changes

Role mapping table.

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

rmannibucau created an issue. See original summary.

fbbarros made their first commit to this issue’s fork.

jcnventura’s picture

Status: Active » Needs review
jcnventura’s picture

Version: 8.x-1.0-beta6 » 2.x-dev

1.x is no longer getting new features

carantunes made their first commit to this issue’s fork.

jcnventura’s picture

Status: Needs review » Needs work

Please rebase this to the latest 2.x state.

jcnventura’s picture

Não há problema Carina :) Bem-vinda ao Drupal.

kosamara’s picture

Hi @jcnventura ! Maybe this issue can be marked for review? We're testing Carina's patch for use on our infrastructure at CERN.