Query on claim used for OIDC principal extractor

[thisisjustinm]

Ask the Question

In the OidcAuthTokenPrincipalExtractor "user_uuid" is used as the only claim

cloud-sdk-java/cloudplatform/security/src/main/java/com/sap/cloud/sdk/cloudplatform/security/principal/OidcAuthTokenPrincipalExtractor.java

Line 18 in 2344f63

private static final String JWT_USER_UUID_CLAIM = "user_uuid";

In case "user_uuid" is missing, would it make sense to have a fallback claim to rely on?

[strehle]

At least claim email is a claim which is more often in a JWT than user_uuid, thus would be an alternative.

[MatKuhr]

Hi colleagues, can you elaborate a bit more what the use case for this would be?

Background: The SDK needs to use an identifier that is unique among all users of the same IAS tenant, and user_uuid naturally provides that. With other claims we may not have this guarantee.

You can also explicitly set a Principal, or customize the behavior by providing a custom facade implementation, but especially the latter is a bit tricky and I'd not recommend it.

Finally, please be aware that the SDK logic only applies, if the CAP isn't used. If CAP is used, then the default CAP logic applies.