The Authorization extension can be configured to expose the relevant information at the user profile level. This is done through a rule that includes the necessary information in the user profile at each login.
When not relying on endpoints that follow the OIDC specification there is functionality that could automatically populate that authorization information into an issued ID Token if the information was requested through scopes. For example:
- You make a request with
scope=openid+roles
. - The user authenticates and the extension rule populate the user profile with updated
roles
information. - Given we’re not on an OIDC flow and the request included the
roles
scope then theroles
information available at the user profile is mapped into aroles
claim included in the ID Token.
(Important: the above does not work when using OIDC compliant endpoints because roles
is not a claim defined by OIDC)
If you’re using an OIDC compliant endpoint which is the case if you’re obtaining access tokens for your own API then you need to explicitly add the custom information available at the user profile into the issued tokens. You do this through an additional rule that should execute after the one associated with the Authorization extension; see User profile claims and scope for details on how to do this.
The way you include the information in the access token is also up to you, for example, you can include the raw role information in a custom claim that your API then processes or as an alternative you can role information to API scopes in the rule itself which would mean the API only performs decisions based on access token scopes and the actual role to scope mapping is done in your custom rule.