OIDC SCOPE Filter

Saichandra · April 30, 2024, 8:49am

HI,

We have an integration with OIDC for the one of the app.

Current in the scope we are getting the profile ,openid.we have done a custoimttion to retrive the userADgroups is memberof attribute as well and we are gtting that in the ID token.

Now for example user has 10 AD groups ,we need to filter group specfic to the Applcaition and send in the response.Also we wanted to perform some auth based on the group.

Can you please suggesr.

grpensa · April 30, 2024, 11:09am

Greetings Saichandra,

So far, well done.
But as your Use Case is more interesting and involved than just using a static claim, dynamic examples like this do really benefit from an implementation that utilizes the policy engine (authorization framework).
That is,

policies for the unique applications need to be built,
response attributes in scope with the application need to be defined and
the OIDC provider claims need to be sourced from the policy engine and not the claims script.

This methodology is covered in the AM courses. Do you have experience with the policy implementation in Forgerock AM?

Saichandra · April 30, 2024, 11:56am

Thanks for the response.Yes i DO have expernice in Policy implemnetion but that policy is more for Claims right

grpensa · April 30, 2024, 12:43pm

Are you aware of this resource:
https://backstage.forgerock.com/docs/am/7.5/authorization-guide/oauth2-authorization.html
Have you tried it?

Many overlook the value of including the policy engine for these purposes and jump right into claims scripts.

Saichandra · April 30, 2024, 1:59pm

yes ,tried this flow,but that is not serving our purpose.Since in the scope we get any group that user have.

First step may be need to understand how to filter the group while sending the token.