Javascript Question - fetching user groups and include them in the ID Token

sachindave · September 6, 2023, 10:15am

Hi,

We are not able to find information about how to fetch identity group and include them as custom claim in ID token using JavaScript. Please note that sample is available for groovy script but we would like to use javascript.
Also it will be helpful if we can fetch value from remote api in Javascript tobe included as custom claim in ID token.

patrick_diligent · September 7, 2023, 1:11am

Hi @sachindave,

You can access the Groups assigned to a user from the “isMemberOf” attribute:

"isMemberOf": [
        "cn=group2,ou=groups,o=alpha,o=root,ou=identities",
        "cn=group1,ou=groups,o=alpha,o=root,ou=identities"
    ],

Then for customising the OIDC claims please refere to the sample scripts page: Sample scripts :: ForgeRock Identity Cloud Docs → idc-claims-extension.js

Or access the script directly at:
https://backstage.forgerock.com/docs/idcloud/latest/_attachments/scripts/oidc-claims-extension.js

Customise this block:

utils.setClaimResolvers({
        /*
        // An example of a simple claim resolver function that is defined for a claim
        // directly in the configuration object:
        custom-claim-name: function (requestedClaim) {
            // In this case, initially, the claim value comes straight from a user profile attribute value:
            var claimValue = identity.getAttribute('custom-attribute-name').toArray()[0]

            // Optionally, provide additional logic for processing (filtering, formatting, etc.) the claim value.
            // You can use:
            // requestedClaim.getName()
            // requestedClaim.getValues()
            // requestedClaim.getLocale()
            // requestedClaim.isEssential()

            return claimValue
        },
        */
        /**
         * The use of utils.getUserProfileClaimResolver shows how
         * an argument passed to a function that returns a claim resolver
         * becomes available to the resolver function (via its lexical context).
         */
        name: utils.getUserProfileClaimResolver('cn'),
        family_name: utils.getUserProfileClaimResolver('sn'),
        given_name: utils.getUserProfileClaimResolver('givenname'),
        zoneinfo: utils.getUserProfileClaimResolver('preferredtimezone'),
        locale: utils.getUserProfileClaimResolver('preferredlocale'),
        email: utils.getUserProfileClaimResolver('mail'),
        address: utils.getAddressClaimResolver(
            /**
             * The passed in user profile claim resolver function
             * can be used by the address claim resolver function
             * to obtain the claim value to be formatted as per the OIDC specification:
             * @see https://openid.net/specs/openid-connect-core-1_0.html#AddressClaim.
             */
            utils.getUserProfileClaimResolver('postaladdress')
        ),
        phone_number: utils.getUserProfileClaimResolver('telephonenumber')
    });

Where I assume (not tested) you could add:

groups: utils.getUserProfileClaimResolver('isMemberOf')

Regards
Patrick

sachindave · September 7, 2023, 9:43am

Thanks Patrick for your reply. We are able to get string array of group name from the java hashset with the help of below code.

ROLES: identity.getMemberships(identity.getType().GROUP).toArray()`

But now we have a problem where we are not able to find how can we just return a string array of group name only just like we were able to do with groovy sample script.

we would like to get result as [‘groupname1’,‘groupname2’]

patrick_diligent · September 11, 2023, 1:14am

Hi @sachindave,

In this case you need to provide a custom claim resolver, or modify the existing identity profile resolver, e.g in the default script it is:

function getUserProfileClaimResolver (attributeName) {
            /**
             * Resolves a claim with a user profile attribute value.
             * Returns undefined if the identity attribute is not populated,
             * OR if the claim has requested values that do not contain the identity attribute value.
             * ATTENTION: the aforementioned comparison is case-sensitive.
             * @param {org.forgerock.openidconnect.Claim} claim
             * An object that provides methods to obtain information/requirements associated with a claim.
             * @see {@link https://backstage.forgerock.com/docs/am/7/apidocs/org/forgerock/openidconnect/Claim.html} for details.
             * @returns {string|HashSet|undefined}
             */
            function resolveClaim(claim) {
                var userProfileValue;

                if (identity) {
                    userProfileValue = getClaimValueFromSet(claim, identity.getAttribute(attributeName));

                    if (userProfileValue && !userProfileValue.isEmpty()) {
                        if (!claim.getValues() || claim.getValues().isEmpty() || claim.getValues().contains(userProfileValue)) {
                            return userProfileValue;
                        }
                    }
                }
            }

            return resolveClaim;
        }

In this function, you could check wether the attribute is “isMemberOf” and transform appropriately the value for that case.

An you need to extend the scope claims map with:

utils.setScopeClaimsMap({
....
    groups: ['groups']

And

utils.setClaimResolvers({
...
   groups: utils.getUserProfileClaimResolver('isMemberOf');

Regards
Patrick