Inserting groups into id token

tapselo · November 3, 2023, 2:48pm

Hi!
Is it possible to list in id_token all groups that user is assigned to? I’ve tried using identity.getAttributes([“groups”]) in OAuth2 Access Token Modification Script but it didn’t work.
Thanks for help in advance!

mwtech · November 3, 2023, 6:58pm

Hi @tapselo

If you are talking about placing this claim into an id token, you will want to be using an OIDC Claims script, not an OAuth2 token modification script. You can then import the com.sun.identity.idm.IdType class in your script and use identity.getMemberships(IdType.GROUP) to return all of the groups associated with the authenticated user.

Hope this helps!

tapselo · December 19, 2023, 11:41am

Thanks for tips, I’ve also found this tutorial: Knowledge - ForgeRock BackStage
But when I modify original script, forgerock returns “Error running OIDC claims plugin” without better error_code. I’m using Groovy. Any more ideas from you? :)

mwtech · December 19, 2023, 9:58pm

Have you looked in the debug log to see what the error was? You will get a specific error in the log.

tapselo · December 20, 2023, 7:56am

There is no specific error actually. The whole error looks like this:

ERROR Error: Uncaught (in promise): OAuthErrorEvent: {“type”:“code_error”,“reason”:{},“params”:{“error_description”:“Error running OIDC claims plugin”,“error”:“server_error”}}

I’m using angular-oauth2-oidc with Code Flow to authenticate.

After my basic debugging it seems like there is a problem with this line of code from tutorial:

“roles”: { claim, identity → [ “roles” : identity.getMemberships(IdType.GROUP).collect { group → return ‘ROLE_’ + group.name }]}

because this works perfect:

“roles”: { claim, identity → [ “roles” : [“abc”] ] }

patrickdiligent · December 20, 2023, 10:51pm

‘group’ is of type AMIdentity so you might try group.getName() ?

tapselo · December 21, 2023, 12:43pm

Unfortunately it also didn’t work. I’ve received the same error.
I’ve tried any combination that contains identity.getMembership() method and it always causes the problem. Any documentation of ‘identity’ would be helpful, but I can’t find it.

patrickdiligent · December 21, 2023, 11:18pm

OIDC user info claims :: AM 7.4.0 and AMIdentity (OpenAM Server Only 7.4.0 Documentation)

getMemberships

https://backstage.forgerock.com/docs/am/7.4/_attachments/apidocs/com/sun/identity/idm/AMIdentity.html#getMemberships(com.sun.identity.idm.IdType)

Perhaps wrap this in a try catch in case there is an exception? Otherwise, the code seems Ok to me.