By: Ben Cory user 19 Jun 2017 at 10:01 a.m. CDT

8 Responses
Ben Cory gravatar
Scenario: The user is registered with Gluu. Two or more OAUTH clients integrated to Gluu using Oxd client. A scope is defined for each client and may have different claim requirements. I am trying to write an authentication Jython script to prove we can: 1. Get the requested scopes for the user. We could provide a parameter to the script to indicate a prefix for scopes we are interested in. 2. For each scope get the associated list of possible claims that could be set against the user with data types, validation rules. 3. For any claims not set against a user within a scope pass the information to a form to collect the extra claims. I think If I can get hold of the sessionclient I can then get to the client and scopes requested which is a start. Do you have any hints on getting hold of the correct objects to get the information I require from Gluu ? Is there any further documentation on the object model ? Any help would be greatly appreciated.

By Aliaksandr Samuseu staff 20 Jun 2017 at 2:27 p.m. CDT

Aliaksandr Samuseu gravatar
Hi, Ben. Please be warned that custom scripts are not covered by free Community support. Yet, as Gluu is open source project, all source codes are available for you to study. [Here](https://github.com/GluuFederation/oxAuth/tree/master/Server/integrations) we have a great selection of ready authentication scripts you can read and configure in your instance to experiment with, what should be enough to get a basic understanding and find some code to reuse in your own script. You can check what classes they import and study their composition to learn what other interfaces they offer. We can provide you some hints even in this case, but please be as specific as possible when asking. I can't say yet I'm completely understand your use case, could you give some example, perhaps? Couldn't get what "claims not set against a user" mean, for example. I'll try to answer next part: >I think If I can get hold of the sessionclient I can then get to the client and scopes requested which is a start. Here is code example that should deliver you current user's session state: ``` context = Contexts.getEventContext() session_attributes = context.get("sessionAttributes") if session_attributes.containsKey("origin_headers): origin_headers = session_attributes.get("origin_headers") ``` `session_atrributes` should look like this: ``` {"scope":"openid profile email user_name","response_type":"code id_token","origin_headers":"https://sp.gluu.org/shibboleth","nonce":"nonce","redirect_uri":"https://nest.gluu.org/idp/auth-code.jsp","remote_ip":"192.168.15.1","auth_step":"1","client_id":"@!6BED.0CBA.D569.AA67!0001!6E3D.B9BF!0008!082F.319E","acr":"internal"} ``` I guess that contains what your need: "requested scopes for the user"

By Ben Cory user 21 Jun 2017 at 1:55 p.m. CDT

Ben Cory gravatar
Thank you for your response it is much appreciated. The oxd clients A and B would require the unique reference for a person to be identified for the respective client. This may be claims a,b,c required to identify a person in client A and claims d, e, f to identify a person in client B. Once a person has been matched in the client the unique Id can be stored in gluu for future interaction so this is on first attempt to authenticate against each client a matching process is done. The plan is to define a scope for each client containing the required claims and a claim for the unique id. This means on authentication we can check for clientAscopeid(unique person Id) if not set pop a form to collect claims a, b, and c. With the claims a matching web service could then be called in client A to get a unique person Id to store in the claim clientAscopeid. On second authentication clientAscopeid would be set so the matching process would not be repeated. At a later date if access to client B is attempted then a similar matching process would be done to get clientBscopeid claim set to the unique person reference for client B. From the above the poc aims to show case: 1. Read the requested scopes 2. Read the claims belonging to each scope 3. Determine if the person has been matched If not pass meta data to describe the claims required for matching to a form 4.Form to render from meta data and collect required claims 5.On return from the form call a web service using the claims collected to match on a person. 6.Store the unique person identifier returned from the matching web service. Please let me know if you need any further clarification on the scenario.

By Ben Cory user 26 Jun 2017 at 10:31 a.m. CDT

Ben Cory gravatar
I have written the script to read claims metadata ( information held in ldap) that belong to a scope. I have looked at passing values between steps. I want to share the claim metadata with a custom form. I have looked at the integration examples on git hub. Is there a way to pass values from the script to a form which is configured in getPageForStep ? Any suggestions would be greatly appreciated.

By Aliaksandr Samuseu staff 20 Jul 2017 at 8:23 p.m. CDT

Aliaksandr Samuseu gravatar
Hi, Ben. Sorry for the pause. Have you managed to achieve what you wanted back then? Could you update me on your current status and pending questions?

By Ben Cory user 21 Jul 2017 at 3:56 a.m. CDT

Ben Cory gravatar
Hi Aliaksandr, Thanks for coming back to me. I have achieved this is in a slightly different way. Michael shared the following link which demonstrated accessing the Gluu object model from the JSF page: [Example of accessing Gluu object model from JSF page](https://github.com/GluuFederation/oxAuth/blob/be8374d60abb715e70035bf601753a11c558144f/Server/src/main/webapp/auth/super-gluu/login.xhtml#L116) I could get the claims in the script for a specific scope. The issue was then the object model was not JSON serialisable to pass as a parameter to the page or next step in the script. I started thinking about creating python objects which were serialisable but then based on the link above I changed to a simpler solution accessing the claims in the scope in the JSF page. This simplified the approach. I had to use JSLT to process the claims and dynamically render HTML controls correctly. Also changed the page to output HTML 5 and therefore not using many of the JSF UI components as they are not HTML 5 aware. I did raise a separate ticket yesterday about breaking down the python script into reusable modules so I could share the code between scripts but hit issues. The ticket got closed very quickly without resolution because it was a customisation question on the community support channel: [Unable to use python module from custom script](https://support.gluu.org/customization/4346/unable-to-use-python-module-from-custom-script/#at24138)

By Mohib Zico Account Admin 26 Jul 2017 at 7:12 a.m. CDT

Mohib Zico gravatar
Gentlemen, Do you think we can close this ticket?

By Aliaksandr Samuseu staff 26 Jul 2017 at 8:28 a.m. CDT

Aliaksandr Samuseu gravatar
Yes, can't add much here. I can understand your disappointment regarding closure of the other ticket, Ben. Though we sometimes assist our Community users with script development, your questions started to touch complex topics we usually need consultation from our dev team on. And that's not something we can afford in Community support.. Unless there is a possibility of bug, of course. Seems like you are doing some deep customizations and intend to use Gluu in production after that. Do you think your organisation could afford paid support plan, then?

By Ben Cory user 26 Jul 2017 at 12:35 p.m. CDT

Ben Cory gravatar
Hi Aliaksandr, This is something we are looking into.