IBM Security Verify

 View Only
  • 1.  How to use "groupids" supported claim in jwt

    Posted Wed October 25, 2023 11:09 AM

    Hi,

    when i create a new oauth2.0 openid definition i can see from the metadata that ISVA supports "groupids" as a jwt claim:

    Reading the documentation i can't find an "official" way to actually put the user's groups in this claim.
    I've been able to do it customizing the post-token mapping rule to retrieve the groups, save it in the oauth grant with the OAuthMappingExtUtils.associate method and then use the pre-token mapping rule to retrieve it again from the grant and put it inside the jwt.
    I'm wondering if there a better and simplier way to do it.
    Any ideas?
    Thank you,
    Sacha


    ------------------------------
    Sacha Mura
    ------------------------------


  • 2.  RE: How to use "groupids" supported claim in jwt

    Posted Wed October 25, 2023 09:17 PM

    Hi Sacha,

    If the groupIds claims is available in the user credentials, you can use Attribute sources to be able to pull group information and add it to the JWT.

    I hope this helps.



    ------------------------------
    Sumana Narasipur
    ------------------------------



  • 3.  RE: How to use "groupids" supported claim in jwt

    Posted Thu October 26, 2023 09:40 AM

    Hi,

    thank you for your reply.

    Does this work for you? That was the first think i tried but its not working.

    I can see the groups in the credentials:

    <stsuuser:Attribute name="AZN_CRED_GROUP_REGISTRY_IDS" type="urn:ibm:names:ITFIM:5.1:accessmanager"><stsuuser:Value>cn=group,o=isam</stsuuser:Value></stsuuser:Attribute>

    i added it to the attribute source:

    added it to the oauth definition:
    Then used the "groupids" in the scope but the JWT has no group claim at all.
    Thank you.
    Sacha



    ------------------------------
    Sacha Mura
    ------------------------------



  • 4.  RE: How to use "groupids" supported claim in jwt

    Posted Fri October 27, 2023 04:26 AM

    You need to request it as an id_token claim .

    Example:https://www.myidp.ibm.com/mga/sps/oauth/oauth20/authorize?nonce=VFKZRevdi4&redirect_uri=https://www.mysp.ibm.com/isam/sps/oidc/rp/isamrp/redirect/partner&response_mode=form_post&claims={"id_token":{"groupids":{"essential":true}}}&scope=openid&response_type=code&state=t00J09oIom&client_id=clientID



    ------------------------------
    Sumana Narasipur
    ------------------------------



  • 5.  RE: How to use "groupids" supported claim in jwt

    Posted Fri October 27, 2023 04:35 AM

    Thanks for the hint but by doing so i get the claim but it's empty:

    "groupids": "n/a"