search

simpleidserver / SimpleIdServer

OpenID, OAuth 2.0, SCIM2.0, UMA2.0, FAPI, CIBA & OPENBANKING Framework for ASP.NET Core
https://simpleidserver.com/
Apache License 2.0
682 stars 90 forks source link

Gets the group to which the user belongs #726

Closed qq1176914912 closed 2 months ago

qq1176914912 commented 2 months ago

I created a Group called admin in "Group" and added roles to it: image And assign this component to the user: image The client also assigns "Scope" for "role": image And Include in access token is enabled for role: image When I access and retrieve the token content, analyzing the token yields the following: image I defined in the token key "roleScopeMappingTokenClaimName" is the role of, can see, is named "the client name/role name", but I didn't see the "group", I want to know the role is to belong to which group? Do I need to get groups separately, or do I need to change the role structure to "Groups/clients/Roles"?

simpleidserver commented 2 months ago

Hello,

Normally, the inclusion of groups in the access token is unnecessary. The roles contained within the access token represent the permissions that the authenticated user has to execute actions against the client. Therefore, the authorization policies established by your web application should operate based on the client's permissions rather than the groups.

Currently, it is not feasible to include groups in the access token. If you require this functionality, we can consider supporting it for the upcoming release 5.0.0.

Best regards,

SID

qq1176914912 commented 2 months ago

Hello,

Normally, the inclusion of groups in the access token is unnecessary. The roles contained within the access token represent the permissions that the authenticated user has to execute actions against the client. Therefore, the authorization policies established by your web application should operate based on the client's permissions rather than the groups.

Currently, it is not feasible to include groups in the access token. If you require this functionality, we can consider supporting it for the upcoming release 5.0.0.

Best regards,

SID

Thanks for your reply, besides getting the role group in the access token, is there any other way to get the user's role from which group?

simpleidserver commented 2 months ago

As I mentioned in my previous message, currently, it is not feasible to include groups in the access token. If you require this functionality, we can consider supporting it for the upcoming release 5.0.0.

qq1176914912 commented 2 months ago

As I mentioned in my previous message, currently, it is not feasible to include groups in the access token. If you require this functionality, we can consider supporting it for the upcoming release 5.0.0.

I know what you mean, what I mean is that in addition to having groups in the access token, at this point, is there another way to get the group that the current user role belongs to (outside of the access token), such as is there an interface to query?

simpleidserver commented 2 months ago

Apologies for my misunderstanding. You can retrieve the groups assigned to a user by executing the following HTTP query:

Groups are available in the 'groups' property.

METHOD:  GET
TARGET : https://openid.simpleidserver.com/master/users/<ID>

Swagger endpoint : https://openid.simpleidserver.com/master/swagger/index.html

qq1176914912 commented 2 months ago

Apologies for my misunderstanding. You can retrieve the groups assigned to a user by executing the following HTTP query:

Groups are available in the 'groups' property.

METHOD:  GET
TARGET : https://openid.simpleidserver.com/master/users/<ID>

Swagger endpoint : https://openid.simpleidserver.com/master/swagger/index.html

Thank you for your reply, I think it is still necessary to display "group" in the token. At present, the role of "group" is only to give the user a role, as the role of the middleware. If the "group" is also supported in the token, it can make it play a real role.