Original Message:
Sent: Fri October 27, 2023 04:26 AM
From: Sumana Narasipur
Subject: How to use "groupids" supported claim in jwt
You need to request it as an id_token claim .
Example:https://www.myidp.ibm.com/mga/sps/oauth/oauth20/authorize?nonce=VFKZRevdi4&redirect_uri=https://www.mysp.ibm.com/isam/sps/oidc/rp/isamrp/redirect/partner&response_mode=form_post&claims={"id_token":{"groupids":{"essential":true}}}&scope=openid&response_type=code&state=t00J09oIom&client_id=clientID
------------------------------
Sumana Narasipur
Original Message:
Sent: Thu October 26, 2023 09:40 AM
From: Sacha M
Subject: How to use "groupids" supported claim in jwt
Hi,
thank you for your reply.
Does this work for you? That was the first think i tried but its not working.
I can see the groups in the credentials:
<stsuuser:Attribute name="AZN_CRED_GROUP_REGISTRY_IDS" type="urn:ibm:names:ITFIM:5.1:accessmanager"><stsuuser:Value>cn=group,o=isam</stsuuser:Value></stsuuser:Attribute>
i added it to the attribute source:
added it to the oauth definition:
------------------------------
Sacha Mura
Original Message:
Sent: Wed October 25, 2023 09:17 PM
From: Sumana Narasipur
Subject: How to use "groupids" supported claim in jwt
Hi Sacha,
If the groupIds claims is available in the user credentials, you can use Attribute sources to be able to pull group information and add it to the JWT.
I hope this helps.
------------------------------
Sumana Narasipur
Original Message:
Sent: Wed October 25, 2023 11:08 AM
From: Sacha Mura
Subject: How to use "groupids" supported claim in jwt
Hi,
when i create a new oauth2.0 openid definition i can see from the metadata that ISVA supports "groupids
" as a jwt claim:
Reading the documentation i can't find an "official" way to actually put the user's groups in this claim.
I've been able to do it customizing the post-token
mapping rule to retrieve the groups, save it in the oauth grant with the OAuthMappingExtUtils.associate
method and then use the pre-token
mapping rule to retrieve it again from the grant and put it inside the jwt.
I'm wondering if there a better and simplier way to do it.
Any ideas?
Thank you,
Sacha
------------------------------
Sacha Mura
------------------------------