couchdb-response.json

{
    "error": "unauthorized",
    "reason": "You are not a server admin."
}

local.ini

[chttpd]
bind_address = 0.0.0.0
authentication_handlers = {chttpd_auth, jwt_authentication_handler}, {chttpd_auth, cookie_authentication_handler}, {chttpd_auth, default_authentication_handler}

[jwt_auth]
required_claims = {iss, "foobar"}
roles_custom_claim = my_custom_claim

[jwt_keys]
hmac:_default = aGVsbG8=

my-changes.diff

diff --git a/rel/overlay/etc/default.ini b/rel/overlay/etc/default.ini
index 057ed4c..d60eaf5 100644
--- a/rel/overlay/etc/default.ini
+++ b/rel/overlay/etc/default.ini
@@ -145,6 +145,7 @@ max_db_number_for_dbs_info_req = 100
 ; can be the name of a claim like "exp" or a tuple if the claim requires
 ; a parameter
 ; required_claims = exp, {iss, "IssuerNameHere"}
+; roles_custom_claim = _couchdb.roles
 ;
 ; [jwt_keys]
 ; Configure at least one key here if using the JWT auth handler.
diff --git a/src/couch/src/couch_httpd_auth.erl b/src/couch/src/couch_httpd_auth.erl
index 0d3add0..5573891 100644
--- a/src/couch/src/couch_httpd_auth.erl
+++ b/src/couch/src/couch_httpd_auth.erl
@@ -198,7 +198,7 @@ jwt_authentication_handler(Req) ->
                         false -> throw({unauthorized, <<"Token missing sub claim.">>});
                         {_, User} -> Req#httpd{user_ctx=#user_ctx{
                             name = User,
-                            roles = couch_util:get_value(<<"_couchdb.roles">>, Claims, [])
+                            roles = couch_util:get_value(config:get("jwt_auth", "roles_custom_claim", <<"_couchdb.roles">>), Claims, [])
                         }}
                     end;
                 {error, Reason} ->

my-token.txt

https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJmb29iYXIiLCJuYW1lIjoiSm9obiBEb2UiLCJpYXQiOjE1MTYyMzkwMjIsIm15X2N1c3RvbV9jbGFpbSI6WyJfYWRtaW4iXSwiaXNzIjoiZm9vYmFyIn0.HVGUkxqAJI4PhlLasOrFqPZ3x8qvf-4r-SMQJao1pOY