search

NodeBB / nodebb-plugin-sso-oauth2-multiple

NodeBB Plugin for configuring multiple OAuth2 endpoints for login
BSD 2-Clause "Simplified" License
9 stars 4 forks source link

Alternative roles field #30

Open jasonpincin opened 11 months ago

jasonpincin commented 11 months ago

It would be awesome if we could specify an alternative roles field. Some oauth2 providers do not allow roles to be set, but rather insist on name-spacing the roles field (looking at you Auth0). Perhaps in the UI, within the Adjustments section, similar to how you have an Alternative id key field, there could be an Alternative roles key field? Or even just a Roles namespace,

As a concrete example, the userinfo endpoint for our implementation returns a payload that contains the following:

{ 
  ...
  email_verified: true,
  'https://ourdomain.gg/roles': [ 'Group1 Member', 'Group2 Member' ]
}
julianlam commented 11 months ago

Yep this is fine, will add.

julianlam commented 11 months ago

While I have you, is the roles parameter name returned in the discovery endpoint?

https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

Cursory review says no 😞

jasonpincin commented 11 months ago

No; it can only be done with a custom claim in Auth0 (via an "Action"). There's no way for it to know and advertise it via the discovery endpoint (that I know of).

VictorElHajj commented 7 months ago

Authentikat for example returns "groups" instead of roles.

digital-pet commented 3 weeks ago

Authentikat for example returns "groups" instead of roles.

So does allianceauth-oidc-provider