When Webapi is setup with e.g. OIDC and a new User signs in, it defaults to the public role. Without any preparation on the database, an admin has to set the actual roles afterwards. It would be more comfortable if the default roles could be configurable, similar to the User-Import from AD via the property security.ad.default.import.group.
Define a new property security.default.roles, that sets the default roles:
// in AtlasSecurity.java
@Value("${security.default.roles}#{T(java.util.Set).of('public')}")
protected Set<String> defaultRoles;
This would apply to all authentications.
Alternative for OIDC
Allow to define a roles claim in the access token. By default Keycloak already sets this claim and pac4j parses it.
May add a property in webapi, that switches interpreting of the supplied roles. The huge advantage here is, that authorization can be managed by the IDP/Keycloak.
Current Behavior
When Webapi is setup with e.g. OIDC and a new User signs in, it defaults to the
public
role. Without any preparation on the database, an admin has to set the actual roles afterwards. It would be more comfortable if the default roles could be configurable, similar to the User-Import from AD via the propertysecurity.ad.default.import.group
.The default role is hardcoded here: https://github.com/OHDSI/WebAPI/blob/3f9e90c5a62dac4557f34f85b2d0ce70d58b439d/src/main/java/org/ohdsi/webapi/shiro/management/AtlasSecurity.java#L79
Proposal
Define a new property
security.default.roles
, that sets the default roles:This would apply to all authentications.
Alternative for OIDC
Allow to define a
roles
claim in the access token. By default Keycloak already sets this claim and pac4j parses it. May add a property in webapi, that switches interpreting of the supplied roles. The huge advantage here is, that authorization can be managed by the IDP/Keycloak.