Audience Mapping

The IDP enforces audience → role mappings to authorize access to downstream services.

Configuration

K8s Secret example (kubernetes/idp/backend/secret.yaml):

{
  "control-admin": {
    "allowedRolesAnyOf": [
      "access-control.admin",
      "access-control.manager",
      "access-control.auditor",
      "platform.superadmin"
    ],
    "scopes": ["acl:read", "acl:write", "users:read", "roles:assign", "permissions:manage"]
  },
  "scl-admin": {
    "allowedRolesAnyOf": ["TENANT_OWNER", "TENANT_ADMIN", "TENANT_EDITOR", "platform.superadmin"],
    "scopes": ["membership:read", "membership:write", "billing:write", "reports:read"]
  },
  "yolo-admin": {
    "allowedRolesAnyOf": ["yolo.pricing.admin", "pricing.admin", "platform.superadmin"],
    "scopes": ["pricing:read", "pricing:write", "content:read", "content:write"]
  }
}

Extending the Map

Operators can extend this map per environment to authorize new audiences.

Add entries to IDP_AUDIENCE_ROLE_MAP secret with:

allowedRolesAnyOf: Array of role names that grant access
scopes: Array of scope strings included in the token

Configuration​

Extending the Map​

Configuration

Extending the Map