OIDC tokens and roles claims
ZendHQ requires a valid OpenID Connect id_token issued by the identity provider. This token must be a JWT containing the claims listed in the following table.
| Claim | Description |
|---|---|
|
preferred_username |
The preferred username of the user |
|
oid |
The object ID of the user |
|
iss |
The issuer of the token |
|
aud |
The audience of the token |
|
exp |
The expiration time of the token |
|
nbf |
The not-before time of the token |
|
roles |
An array of strings representing the user's roles |
The roles claim determines what features a user can access within ZendHQ. These roles must be included in the token and follow a specific naming convention.
ZendHQ uses any roles that follow the format zendhq.<service>[.<permission>], where
-
<service> is the name of a valid service (as specified in Valid services)
-
<permission> is optional and specifies a valid permission (as listed in Valid permissions)
Omitting the optional permission grants all permissions for the given service.
Valid services
The following table specifies valid services.
| Service | Description |
|---|---|
|
conf |
User has access to configuration, including monitoring rules |
|
ct |
User has access to code traces |
|
jq |
User has access to job queue |
|
mon |
User has access to monitoring events and issues |
|
zray |
User has access to Z-Ray |
Valid permissions
The following table specifies valid permissions.
| Service | Description |
|---|---|
|
read |
User has read access |
|
write |
User has write access |
|
execute |
User has intrusive access |
Example roles claims
Roles claim for an administrator with full access to all the services
{
"roles": [
"zendhq.conf",
"zendhq.ct",
"zendhq.jq",
"zendhq.mon",
"zendhq.zray"
]
}Roles claim for a developer
{
"roles": [
"zendhq.conf.read",
"zendhq.ct.read",
"zendhq.jq.read",
"zendhq.jq.write",
"zendhq.mon.read",
"zendhq.zray.read",
"zendhq.zray.write"
]
}