We have an integration with OIDC for the one of the app.

Current in the scope we are getting the profile ,openid.we have done a custoimttion to retrive the userADgroups is memberof attribute as well and we are gtting that in the ID token.

Now for example user has 10 AD groups ,we need to filter group specfic to the Applcaition and send in the response.Also we wanted to perform some auth based on the group.

Can you please suggesr.

Greetings Saichandra,

So far, well done.
But as your Use Case is more interesting and involved than just using a static claim, dynamic examples like this do really benefit from an implementation that utilizes the policy engine (authorization framework).
That is,

  1. policies for the unique applications need to be built,
  2. response attributes in scope with the application need to be defined and
  3. the OIDC provider claims need to be sourced from the policy engine and not the claims script.

This methodology is covered in the AM courses. Do you have experience with the policy implementation in Forgerock AM?

Thanks for the response.Yes i DO have expernice in Policy implemnetion but that policy is more for Claims right

Are you aware of this resource:
Have you tried it?

Many overlook the value of including the policy engine for these purposes and jump right into claims scripts.

yes ,tried this flow,but that is not serving our purpose.Since in the scope we get any group that user have.

First step may be need to understand how to filter the group while sending the token.