Proposal: Default-Roles configurable via property

[thoniTUB]

Current Behavior

When Webapi is setup with e.g. OIDC and a new User signs in, it defaults to the public role. Without any preparation on the database, an admin has to set the actual roles afterwards. It would be more comfortable if the default roles could be configurable, similar to the User-Import from AD via the property security.ad.default.import.group.

The default role is hardcoded here: https://github.com/OHDSI/WebAPI/blob/3f9e90c5a62dac4557f34f85b2d0ce70d58b439d/src/main/java/org/ohdsi/webapi/shiro/management/AtlasSecurity.java#L79

Proposal

Define a new property security.default.roles, that sets the default roles:

// in AtlasSecurity.java
@Value("${security.default.roles}#{T(java.util.Set).of('public')}")
protected Set<String> defaultRoles;

This would apply to all authentications.

Alternative for OIDC

Allow to define a roles claim in the access token. By default Keycloak already sets this claim and pac4j parses it. May add a property in webapi, that switches interpreting of the supplied roles. The huge advantage here is, that authorization can be managed by the IDP/Keycloak.

[konstjar]

As alternative, you can give public role all needed permissions.

[thoniTUB]

Thats a good hint, and I'll probably do temporarly. Thank you!

> 360 Permissions with 2 Datasets configured 👀