Soffit and OIDC questions

11 views
Skip to first unread message

Julien Gribonvald

unread,
Jun 8, 2021, 10:38:26 AM6/8/21
to uport...@apereo.org
Hi folks,

I've some questions on "what is the best way to do that ?", as we are
replacing portlets with API + web-components UI.

- Portlet API provide all users attributes that we want and without size
limitations instead of the userInfo bearer. So what is the best way to
avoid the size limitation to provide some attributes with a lot of
values (in our LDAP we have the isMemberOf attribute that we use a lot),
and so it makes a lot of datas that can't be passed within the bearer as
it's truncated. I've seen that we can filter values, but I fear that we
need a lot of values on some parts and so it will only "forward" the
problem for later.

So is there some peoples who had a such need too ? how did you solve
that problem ? I would avoid to request our LDAP or to develop a REST
API outside of the portal.

- I would like to use web-components that make request of the uPortal
API outside of the portal, and without connecting on before. So how to
permit that ? should we init the portal session before or there is way
to avoid that ? My needs would be to use the esco-content-menu outside
and integrate it into somes other services.


Thanks !

Julien Gribonvald

Benito Gonzalez

unread,
Jun 8, 2021, 1:32:03 PM6/8/21
to Julien Gribonvald, uport...@apereo.org
Hi Julien,

IIRC there is a groups API in uPortal that can be used to access the groups the current user belongs to. 

I have not worked on any implementations where the token size was exceeded.

Best,
-bjagg


--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to uportal-dev...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/b0ec37d4-e0ba-4408-73d8-7aa197fa8198%40recia.fr.

Julien Gribonvald

unread,
Jun 10, 2021, 11:55:21 AM6/10/21
to Benito Gonzalez, uport...@apereo.org

Hi Benito,

I'm not using the group API into services, into portlets I'm using only the user attribute that provide the list of groups where the user is member. It's really efficient to do like that, but when moving to APIs + webcomponent I've to find an other efficient way.

For the token size problem I will check if I can reproduce it, I had the problem in version 5.2 (long time ago so).

Julien Gribonvald

Julien Gribonvald

unread,
Jul 15, 2021, 11:39:47 AM7/15/21
to uport...@apereo.org

Hi,

So for the token size I reproduce it ! It's due to a token size exceeding the 8Kb size (from not too much), and that's the tomcat server that return the error. Without a such attribute the userInfo response is around 1.6Kb, so we can't provide into claims a user attribute having a large size value.

After I'm not sure on the best way to do, this size can be configured to the server but it's doesn't seem really recommended to increase the maxHttpHeaderSize property of the connector and I think that's not totally false, because the JWT encrypt value and the encryted value is really larger, so the encryption increase the length of the token. Maybe the best way would be to request an API to get all user attributes values of one user (passing the attribute name requested ?). It would be like replacing the portlet request on User-info by an API, what do you think ?

BTW there is the /v5-0/people/me API, but it doesn't filter authorized or requested attributes.

Thanks,

Julien Gribonvald

Benito Gonzalez

unread,
Jul 15, 2021, 12:19:25 PM7/15/21
to Julien Gribonvald, Developers, uPortal
I think this is a good idea! We would have to build out some infrastructure for saving keys from other services that may query uPortal for user information. Does that sound right?

-bjagg

Julien Gribonvald

unread,
Jul 15, 2021, 12:53:23 PM7/15/21
to uport...@apereo.org
Reply all
Reply to author
Forward
0 new messages