Configuration - Specify which JWT claims pass through to MSSQL Session Context

[yorek]

As per discussion here: #1094, it would be good to have a way to define which element of the received JWT token are passed into the SESSION_CONTEXT. For example:

"context":{
  "userId":[$.user_id,$.objectid],
 "roles":"[$.userroles,$.roles]
}

[simonsabin]

Following on the discussion where only the current resolved role is passed, this would allow for ALL role claims AND all user roles to be passed as session context.
The current model really only gives the ability to differentiate between auth and non auth users, which largely one would do at the higher level not with RLS (main use case for Session Context)
RLS shines when allowing filtering by user when the user is resolved to a group in RLS to filter the results, or by group where the group is used to filter results. i.e. user has access to sales data, but is part of finance and so can see all sales, or part of North America sales and so can only see North America sales.

Passing all user roles/claims to session context allows resolution of the situation where a user is in multiple roles, something the current model doesn't allow for.

[yorek]

@simonsabin it looks like at the end the implementation is much closer to what you were asking for. Take a look here: https://github.com/Azure/data-api-builder/blob/main/docs/runtime-to-database-authorization.md. Feedbacks?

[Aniruddh25]

No feedback provided, yet - moving to May2023 until we know what the requirements are