OpenID Connect claim for group with membership level
Problem to solve
Allow an OpenID Connect application to check for Owner (Maintainer, Developer) access to groups.
Intended users
Further details
Usually Guest or Reporter access to a project can be considered low risk, as such users can't break much. But this information is not provided to an OpenID Connection application, so it can't check that.
Providing the actual access level in the claim makes it possible to
- provide access only for given levels without creating yet another top level group or
- add another line of defence against people accidentally added with low access levels.
Proposal
Provide further custom claims for every group access level, something like this:
{
"https://gitlab.com/claims/groups/access/owner": [
"example1/sub",
"example2/sub"
],
"https://gitlab.com/claims/groups/access/maintainer": [
"example1"
],
"https://gitlab.com/claims/groups/access/developer": [
"example2"
]
}