Allow to use claims in access token or id token for openid user/group mappings
See original GitHub issueCurrent Behavior:
From what I understand, dependency-track uses the standard userinfo
endpoint to fetch the user’s name and groups. This is limiting when using certain providers, for example Microsoft Identity.
Proposed Behavior:
Allow to use claims returned either in the access token or id token since these are also openid standards.
For example:
ALPINE_OIDC_USERNAME_CLAIM_SOURCE=userinfo/access_token/id_token
ALPINE_OIDC_TEAMS_CLAIM_SOURCE=userinfo/access_token/id_token
This would also solved the issue #979 . Thanks!
Issue Analytics
- State:
- Created 2 years ago
- Reactions:6
- Comments:17 (12 by maintainers)
Top Results From Across the Web
Customize tokens returned from Okta with a Groups claim
This guide explains how to add a Groups claim to ID tokens for any combination of App Groups and User Groups to perform...
Read more >Provide optional claims to Azure AD apps - Microsoft Entra
An application can configure optional claims to be returned in each of three types of tokens (ID token, access token, SAML 2 token)...
Read more >Userinfo endpoint not returning persistent grant mappings in ...
We have an OpenID Connect policy with Include userInfo in ID token enabled and 4 ... But the user info endpoint is returning...
Read more >Open ID Connect: Sharing identity information with Applications
Adding the attribute source to the definition maps the attribute to the id_token claim. Use the API protection definition panel for OpenID ......
Read more >How to request OpenID Connect claims - Connect2id
By making a request to the UserInfo endpoint of the Connect2id server with a valid OAuth 2.0 access token that was issued to...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
We can’t reliably use the access token since it’s not guaranteed to be a JWT, or even parseable at all. Considering ID token and
/userinfo
when looking for claims sounds OK though.If we submit both ID token and access token to the API server, we can always validate and decode the ID token first. If it’s valid, and we find all the claims we’re looking for in there, we don’t have to bother requesting
/userinfo
. A valid ID token is already enough as proof of authentication. If we’re missing claims, we can then request/userinfo
with the access token. Meaning we don’t need the proposed properties that instruct DT where to look for claims.I think I’ll give this a go. Will probably introduce the Nimbus OIDC SDK as we’ll now have to deal with retrieving and selecting the correct signing key from the IdP.
@nscuro well I found my error…! typo in
ALPINE_OIDC_TEAMS_SYNCHRONIZATION
no ‘S’ on TEAMSTested and it’s now working! 🎉