update method of the Dynamic Scopes custom scripts not called?

By: Dominique Petitpierre user 30 May 2017 at 8:44 a.m. CDT

5 Responses
Dominique Petitpierre gravatar
Hello, - What is necessary to trigger the _update_ method of the Dynamic Scopes custom scripts? For example the sample **org_name** script distributed with Gluu 3.0.1 does not seem to change anything. cf. [https://github.com/GluuFederation/community-edition-setup/blob/master/templates/scripts.ldif#L400](https://github.com/GluuFederation/community-edition-setup/blob/master/templates/scripts.ldif#L400) When the script is activated in the administration UI, the following appears in ```/opt/gluu/jetty/oxauth/logs/oxauth_script.log``` : ``` 2017-05-30 14:52:01,572 INFO [pool-2-thread-8] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:219) - Dynamic scope. Initialization 2017-05-30 14:52:01,573 INFO [pool-2-thread-8] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:219) - Dynamic scope. Initialized successfully 2017-05-30 14:52:01,574 TRACE [pool-2-thread-8] [org.xdi.service.custom.script.CustomScriptManager] (CustomScriptManager.java:113) - Last finished time '5/30/17 2:52 PM' ``` So the script is enabled; But when exercising the _userinfo_ endpoint with a client, e.g. with oxauth-rp, the **org_name** claim is not added dynamically to the other claims, worse, the log statement at the beginning of the update method does not seem to be executed (the log message does not appear in the log file): ``` print "Dynamic scope. Update method for scope org_name" ``` So it seems that the _update_ method of the script is not called. - So what is missing? - Is there a global configuration parameter to adjust? Thanks in advance for your help!
OS Version : N/A
closed

Answers

By Dominique Petitpierre user 01 Jun 2017 at 6:06 a.m. CDT

Copy
Dominique Petitpierre gravatar
Hello again, may be I should ask this question first: - What is the ```update``` method of a Dynamic Scopes custom script supposed to do and when? The terse explanation in the documentation does not make sense to me: (cf. [https://gluu.org/docs/ce/3.0.1/admin-guide/custom-script/#dynamic-scopes](https://gluu.org/docs/ce/3.0.1/admin-guide/custom-script/#dynamic-scopes) ) > The dynamic scope custom script allows the parsing of token returned from user_info endpoint into LDAP attributes. The id_token is returned from user_info endpoint and the values are dynamically placed in the LDAP attributes in Gluu Server. > - What does it mean? Which values are we talking about? Where are they placed? (in the LDAP directory?) This explanation does not match what is implied in the following discussion: [add authorization elements to json response](https://support.gluu.org/integrations/2319/add-authorization-elements-to-json-response/). From that discussion my deduction is that the update method of a Dynamic Scopes custom script should be executed to add or change claims in the following cases: - When the list of claims is prepared to answer an OpenId Connect client _userinfo_ request. - When the ID token is prepared to answer an OpenId Connect client _token_ request and claims should be included in the ID token (if the configuration parameter ```legacyIdTokenClaims=true```). - Correct? - Any other cases? Thanks in advance for your lights!

By Dominique Petitpierre user 08 Jun 2017 at 12:09 p.m. CDT

Copy
Dominique Petitpierre gravatar
Answering to my own questions: The missing piece of information was that to make a Dynamic Scopes custom script work, not only does it have to be enabled in the _Manage Custom Scripts_ interface (check box), but also - a scope has to be defined in the _OpenID Connect Scopes_ interface - that scope should have _Scope Type_ **Dynamic** (menu) - the dynamic script should be linked to that scope (_Add dynamic script_ button) And of course the scope should be allowed for the client in the _OpenID Connect Update Client_ interface (_Add Scope_ button), and the scope should be requested by the client (e.g. to test with oxauth_rp, add it manually to the _Scope_ list in the _Token Endpoint_ part. When all this is fine, then one does see the messages printed by the _udpdate_ method of the script in ```oxauth_script.log``` and the dynamic claims are added to the _id_token_ and _userinfo_ responses. Suggestions: Add a pointers in the custom scripts section to point to the scopes section and reciprocally: - [https://gluu.org/docs/ce/3.0.1/admin-guide/custom-script/#dynamic-scopes](https://gluu.org/docs/ce/3.0.1/admin-guide/custom-script/#dynamic-scopes) - [https://gluu.org/docs/ce/3.0.1/admin-guide/openid-connect/#scopes](https://gluu.org/docs/ce/3.0.1/admin-guide/openid-connect/#scopes) It may seem obvious, but such a back pointer would have saved me hours of useless trials. Such a back reference could also be shown in the Dynamic Scopes scripts interface (i.e. which scopes are using the script).

By Aliaksandr Samuseu staff 08 Jun 2017 at 1 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Dominique. Thank you for your suggestions. I'm assigning the ticket to respective team member to look into.

By Joseph Christie user 16 Jun 2017 at 8:37 a.m. CDT

Copy
Joseph Christie gravatar
Hi Dominique, Thanks for pointing this to us, and we welcome any further suggestions and bugs within the documentation. We assure to have those corrected at the earliest. More thanks for helping us to improve our documentation. Please review Dynamic scopes section again and let us know your feedback. https://gluu.org/docs/ce/3.0.1/admin-guide/custom-script/#dynamic-scopes -Joseph Christie
Video or screenshot link

By Dominique Petitpierre user 16 Jun 2017 at 3:10 p.m. CDT

Copy
Dominique Petitpierre gravatar
Hello, I hope now the documentation will be more helpful for a novice. I still think that the first paragraph needs replacing by a better explanation; currently this paragraph is incomprehensible from a user perspective and can give a wrong view of what such a script does: > The dynamic scope custom script allows the parsing of token returned from user_info endpoint into LDAP attributes. The id_token is returned from user_info endpoint and the values are dynamically placed in the LDAP attributes in Gluu Server. Also a link from the scope documentation page to the dynamic scopes script page would be useful. Thanks for listening! Regards.

Post an answer