bewebi
commented
1 year ago In a nutshell we want to add a step sometime after authenticating with an IdP on Portal login that passes some/all claims from the IdP to a passthrough Auth sever they maintain.
It is unclear whether the needs to be per-request (ie part of a UsagePlan) or if it can be added as a step on Portal login (ie while we are working with the claims anyway). If the customer wants former we should clarify why assigning claim values to Groups with AccessLevel set exactly as desired is not a viable solution.
A further call with the customer may be necessary, including myself, to clarify the ask and the purpose in order to determine the best course of action.
Is your feature request related to a problem? Please describe. A Portal user requires a multi-step authNZ process. The information they get back from the IdP just represents authN, an email address claim. It does not provide authZ.
Describe the solution you'd like The user maintains a separate custom authZ service that augments a JWT with additional claims for info like organization, subscription level, etc. These authZ-added claims are required to make decisions around routing and rate-limiting. The user needs Portal to support a multi-step AuthConfig (similar to Edge) that allows authN through the OIDC service and a subsequent passthrough authZ step to a custom service.
Additional context Related to #172