openid connect, scope includes permissions, but userinfo doesn't return 'groups'?

By: Arthur Barrett user 05 Jul 2021 at 1:25 a.m. CDT

3 Responses
Arthur Barrett gravatar
I'm using the userinfo API after a successful login: https://gluu.org/docs/gluu-server/4.2/api-guide/openid-connect-api/#openid-connect-user-info-api The scope of the login returns: "openid profile permission email" But the response from userinfo does not include "groups": ``` "{""sub"":""xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"",""website"":""https://www.gluu.org/"",""zoneinfo"":""America/Los_Angeles"",""birthdate"":""20210616000000.000Z"",""email_verified"":true,""gender"":""male"",""profile"":""https://www.facebook.com/gluufederation/"",""preferred_username"":""admin"",""given_name"":""Admin"",""middle_name"":""Admin"",""picture"":""https://www.gluu.org/wp-content/themes/gluu/images/gl.png"",""updated_at"":1623810357,""name"":""Default Admin User"",""nickname"":""Admin"",""family_name"":""User"",""email"":""xxx@xxxx.com""}" ``` I thought if my oauth included the 'permissions' scope that I would get the user permissions with a query to userinfo? Do I get this claim from somewhere else? I assume I've misunderstood something. How do I get the 'groups' of the user during oauth. I can get it via SCIM OK, but I need it at login, to identify an administrator user. If there is a better way to identify an administrator user, please advise...
Gluu 4.2.3 Ubuntu 18.0
closed

Answers

By Arthur Barrett user 05 Jul 2021 at 2:08 a.m. CDT

Copy
Arthur Barrett gravatar
OK - I worked it out by adding a new 'openid' scope called membership and adding the claim 'member_of' to that scope. Then changed the request scope to membership (not permission) and now I get 'member_of' OK. If there is a better way to determine if a user is administrator, please let me know: ``` "{""sub"":""xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"",""website"":""https://www.gluu.org/"",""zoneinfo"":""America/Los_Angeles"",""birthdate"":""20210616000000.000Z"",""email_verified"":true,""gender"":""male"",""profile"":""https://www.facebook.com/gluufederation/"",""preferred_username"":""admin"",""given_name"":""Admin"",""middle_name"":""Admin"",""picture"":""https://www.gluu.org/wp-content/themes/gluu/images/gl.png"",""updated_at"":1623810357,""name"":""Default Admin User"",""nickname"":""Admin"",""member_of"":[""inum=60B7,ou=groups,o=gluu""],""family_name"":""User"",""email"":""xxx@xxxx.com"”}" ``` Also I'm curious about the order of the elements. Is there any reason for it? I would have thought the membership scope would have come after the email because that was by request. It doesn't matter and shouldn't matter, but I just think its odd. Leaving the issue open for comments.

By Aliaksandr Samuseu staff 05 Jul 2021 at 1:38 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Arthur. >I thought if my oauth included the 'permissions' scope that I would get the user permissions with a query to userinfo? You need to both request the scope that maps to all the claims you need - and allow Gluu Server to allow this specific client to use this scope. So you figured out that part right. >If there is a better way to determine if a user is administrator Not sure what you're up to here, but if you need your RP to know if some user is an admin in Gluu Server, then group membership is one way to go (you'll need to ensure RP is able to compare what it receives in `member_of` claim to DN of the "Gluu Manager Group" in Gluu Server). >Also I'm curious about the order of the elements. Is there any reason for it? Spec doesn't dictate the claim ordering in userinfo response, and tbh not sure why this may matter. When the sctructure is handled in code, you can usually just extract the value you need by claim's name.

By Arthur Barrett user 05 Jul 2021 at 5:52 p.m. CDT

Copy
Arthur Barrett gravatar
Thanks. Good tip about DN of the "Gluu Manager Group" in Gluu Server! Closing

Post an answer