This repository was archived by the owner on Mar 20, 2025. It is now read-only.
This repository was archived by the owner on Mar 20, 2025. It is now read-only.
Restrict clients to organisations explicitly granted only #142
Description
Currently, clients (ie. headless, , service to service, no user) are given 'ORGANIZATION' level access with PUBLIC classification for all organisations.
Instead, by default a security exception should be thrown to interrupt processing and prevent access as clients should only be allowed access to organisation they were explicitly granted.
However, as user info endpoint is not available for clients, organisation can only be retrieved via access token custom claims which are not supported by all OIDC providers. To preserve compatibility with these providers, the current behaviour should be preserved but disabled by default and only enabled explicitly via config property.