Hi everyone,
I am using OIDC for auth to vault and wonder if the following is somehow realizable.
In the OIDC Token I have a (nested) claim containing things like myteam.role and myteam.name
{
"acr": "1",
...
"myteam": {
"name": ["team1"],
"role": ["member"],
...
},
...
"given_name": "User",
"sid": "sid",
"sub": "sub",
"typ": "ID"
}
My oidc/ auth is currently configured like
{
...
"bound_claims": {
"/myteam/name": ["team1", "team2"]
},
"claim_mappings": {
"/myteam/name/0": "myteam_name_0",
"/myteam/role/0": "myteam_role_0"
},
"groups_claim": "/myteam/name",
"token_policies": "",
...
}
while having groups + group_aliases for team1 and team2 with according policies policy_team1 and policy_team2 attached.
What i want is to have the groups_claim somehow not only consider the myteam.name to match a group but additionally the myteam.role, e.g.
If claim is
(1)
team.name: "team1"
team.role: "member"
I want to assign group team1_member, yet for claim
(2)
team.name: "team1"
team.role: "lead"
I want to assign group team1_lead.
An alternative could be to assign multiple roles depending on multiple claims, e.g. for (1): assign group team1 (based on team.name claim) and group member (based on team.role claim)
For (2) then respectively assign group team1 (based on team.name claim) and group lead (based on team.role claim).
Any help/ideas are greatly appreciated!