With OIDC conforment clients, the way to add scope in rules have changed slightly; we now allow the user to define scopes in the API & OpenID, and custom claims are now name spaced. Therefore, you’ll need to pass this information to your token via another rule. There are 3 scenarios are as follows.
Using ACL based on permissions stored in scopes.
In this approach there are granular permissions defined for example consider the following permissions create:user, update:user, create:task, update:task, update:current_user, create:current_user_task, update:current_user_task. An admin user will have access to all these scopes however a normal user will have
access to only :current_. You can add this in scopes as follows
const rolePermissionsMap = {
'admin': 'create:user', 'update:user', 'create:task', 'update:task', 'update:current_user', 'create:current_user_task', 'update:current_user_task'],
'commoner': 'update:current_user', 'create:current_user_task', 'update:current_user_task'],
};
// This accounts for multiple Roles.
user.roles.forEach((role) => {
if(context.idToken){
context.idToken.scopes = context.idToken.scopes.concat(rolePermissionsMap[role]);
}
if(context.accessToken){
context.accessToken.scopes = context.accessToken.scopes.concat(rolePermissionsMap[role]);
}
});
Using a custom claim.
Using a custom claim, you can define it as follows
const namespace = context.request.query.audience;
if (context.idToken) {
context.idToken[audience + '/role'] = user.roles;
context.idToken[audience + '/groups'] = user.groups;
}
For ID Token only
You can add the entire app_metadata/user_metadata object in the idToken by the following
context.idToken'app_metadata'] = user.app_metadata; // the same follows for user_metadata.
Please note that this will also apply to /userinfo, whatever you return as idToken will be served as /userinfo
Fetch it on the server
Finally you can fetch this information from either Management API (If you have persistence enabled in the Auth Extension) or Using the Extensions API.