Inserting groups into id token

Is it possible to list in id_token all groups that user is assigned to? I’ve tried using identity.getAttributes([“groups”]) in OAuth2 Access Token Modification Script but it didn’t work.
Thanks for help in advance!

Hi @tapselo

If you are talking about placing this claim into an id token, you will want to be using an OIDC Claims script, not an OAuth2 token modification script. You can then import the com.sun.identity.idm.IdType class in your script and use identity.getMemberships(IdType.GROUP) to return all of the groups associated with the authenticated user.

Hope this helps!

1 Like

Thanks for tips, I’ve also found this tutorial: Knowledge - ForgeRock BackStage
But when I modify original script, forgerock returns “Error running OIDC claims plugin” without better error_code. I’m using Groovy. Any more ideas from you? :)

Have you looked in the debug log to see what the error was? You will get a specific error in the log.

There is no specific error actually. The whole error looks like this:

ERROR Error: Uncaught (in promise): OAuthErrorEvent: {“type”:“code_error”,“reason”:{},“params”:{“error_description”:“Error running OIDC claims plugin”,“error”:“server_error”}}

I’m using angular-oauth2-oidc with Code Flow to authenticate.

After my basic debugging it seems like there is a problem with this line of code from tutorial:

“roles”: { claim, identity → [ “roles” : identity.getMemberships(IdType.GROUP).collect { group → return ‘ROLE_’ + }]}

because this works perfect:

“roles”: { claim, identity → [ “roles” : [“abc”] ] }

‘group’ is of type AMIdentity so you might try group.getName() ?

Unfortunately it also didn’t work. I’ve received the same error.
I’ve tried any combination that contains identity.getMembership() method and it always causes the problem. Any documentation of ‘identity’ would be helpful, but I can’t find it.

OIDC user info claims :: AM 7.4.0 and AMIdentity (OpenAM Server Only 7.4.0 Documentation)


Perhaps wrap this in a try catch in case there is an exception? Otherwise, the code seems Ok to me.