IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  How to use "groupids" supported claim in jwt

    Posted Wed October 25, 2023 11:09 AM
    Edited by Sascha W Wed May 07, 2025 10:43 AM

    Hi,

    when i create a new oauth2.0 openid definition i can see from the metadata that ISVA supports "groupids" as a jwt claim:

    Reading the documentation i can't find an "official" way to actually put the user's groups in this claim.
    I've been able to do it customizing the post-token mapping rule to retrieve the groups, save it in the oauth grant with the OAuthMappingExtUtils.associate method and then use the pre-token mapping rule to retrieve it again from the grant and put it inside the jwt.
    I'm wondering if there a better and simplier way to do it.
    Any ideas?
    Thank you,
    Sacha



    ------------------------------
    S
    ------------------------------



  • 2.  RE: How to use "groupids" supported claim in jwt

    Posted Wed October 25, 2023 09:17 PM

    Hi Sacha,

    If the groupIds claims is available in the user credentials, you can use Attribute sources to be able to pull group information and add it to the JWT.

    I hope this helps.



    ------------------------------
    Sumana Narasipur
    ------------------------------

    Original Message


  • 3.  RE: How to use "groupids" supported claim in jwt

    Posted Thu October 26, 2023 09:40 AM

    Hi,

    thank you for your reply.

    Does this work for you? That was the first think i tried but its not working.

    I can see the groups in the credentials:

    <stsuuser:Attribute name="AZN_CRED_GROUP_REGISTRY_IDS" type="urn:ibm:names:ITFIM:5.1:accessmanager"><stsuuser:Value>cn=group,o=isam</stsuuser:Value></stsuuser:Attribute>

    i added it to the attribute source:

    added it to the oauth definition:
    Then used the "groupids" in the scope but the JWT has no group claim at all.
    Thank you.
    Sacha



    ------------------------------
    Sacha Mura
    ------------------------------

    Original Message


  • 4.  RE: How to use "groupids" supported claim in jwt

    Posted Fri October 27, 2023 04:26 AM

    You need to request it as an id_token claim .

    Example:https://www.myidp.ibm.com/mga/sps/oauth/oauth20/authorize?nonce=VFKZRevdi4&redirect_uri=https://www.mysp.ibm.com/isam/sps/oidc/rp/isamrp/redirect/partner&response_mode=form_post&claims={"id_token":{"groupids":{"essential":true}}}&scope=openid&response_type=code&state=t00J09oIom&client_id=clientID



    ------------------------------
    Sumana Narasipur
    ------------------------------

    Original Message


  • 5.  RE: How to use "groupids" supported claim in jwt

    Posted Fri October 27, 2023 04:35 AM

    Thanks for the hint but by doing so i get the claim but it's empty:

    "groupids": "n/a"


    Original Message


Related Content