Sync Gateway OpenId Implicit flow users/roles

I’m looking through the documentation for configuring the Sync Gateway to allow authentication with OpenID connect implicit flow and have run into some questions i’m looking to get help with. I already have in place an identity provider which issues user security tokens including the user’s roles. Assuming I’ve configured the Sync Gateway to trust this issuer my questions are as follows.

1. I can choose to create a session using a bearer token, or continue providing the bearer token in all calls. Is there any reason to create a session besides weighing JWT’s increase transmission size and CPU verification load versus the session’s lookup time?
2. I see the register configuration entry when configuring the OIDC provider - is creating a local Sync Gateway user required or can the information in the security token be presented and used for all calls?
3. Is there a way through configuration to link the concept of role claims in a JWT token to SyncGateway roles for the purpose of channel access?

Thanks

1. You can choose not to set up a session if you don’t want to and sent the Bearer token in every subsequent calls. Just set disable_session to be true in your config file. I don’t see any specific trade offs other than the ones you mentioned
2. As indicated in the description, this is optional
3. Not sure if that’s possible @bbrks - any thoughts on this ?

3. That’s not currently possible. There have been discussions around mapping JWT claims to SG roles previously, but as of yet this feature does not exist.