feat(jans-cedarling): Support custom tokens and automatically populate principal entity attrs with token entity refs #10591
Labels
comp-jans-cedarling
Touching folder /jans-cedarling
enhancement
kind-feature
Issue or PR is a new feature request
Milestone
Is your feature request related to a problem? Please describe.
When creating policies, users might need access to token entities. For instance, a token entity could be referenced in the attributes of a principal entity. Here's an example of how this might look in a schema:
To streamline this process, we aim to automate the creation of these token entities and ensure they are properly referenced within principal entities. However, this requires a mechanism to link token entities to their corresponding principals during entity creation.
Furthermore, we want this solution to support any custom tokens that the user might want.
Describe the solution you'd like
Supporting custom tokens
Currently, input tokens are passed into Cedarling using a map:
Token Name -> Entity Name mapping
We know that the
access_token
,id_token
, anduserinfo_token
are token entities because of theCEDARLING_MAPPING_ID_TOKEN
,CEDARLING_MAPPING_ACCESS_TOKEN
,CEDARLING_MAPPING_USERINFO_TOKEN
bootstrap entities. However, we might need more than these to support custom tokens.Instead of separate boostrap property for each token, we can use a single object to hold all token to entity name mapping.
Token Entity -> Principal Entity mapping
To support putting custom tokens into principal entities, we can introduce a bootstrap property called
CEDARLING_TOKEN_PRINCIPAL_MAPPER
which is a map of token identifier -> fully qualified token entity name. for example:Automatically adding token entities to the principal entity's attributes
To automatically add token entities to the principal entity's attributes, we can employ the following approach:
In this approach utilize the already existing Cedar schema together with the
CEDARLING_TOKEN_ENTITY_MAPPER
bootstrap property to:Describe alternatives you've considered
N/A
Additional context
This feature would make token handling in Cedarling more customizable and applicable to a broader range of scenarios, including systems with non-standard or custom token usage.
The text was updated successfully, but these errors were encountered: