OpenID customizing claims

[Christian Sepulveda]

I am trying to get a user's list of groups, returned in the claims in the id token. 

Is this possible with WebADM? What needs to be configured to allow it?

In the release notes for v1.2.4 (https://www.rcdevs.com/downloads/viewer/1/Enterprise/Changelog_openid.txt/), I found the following
"- Fixed OpenID-Connect claims issues and added support for extra claims.

      > Addtional claims are confirgured via the ReturnAttributes setting."

which makes me hope this is possible. But I don't know what I need to set. 

https://www.rcdevs.com/docs/howtos/saml_openid/webadm_idp/#3321-requirements shows an example string, to be put in Application settings.

OpenID.ReturnAttrs="mail=mail,first_name=givenname,last_name=sn”

If this is part of a solution, is the right setting OpenId.ReturnAttrs or OpenID.ReturnAttributes (release notes property name)? 

Would I need to send anything else as part of "scopes", when requesting the initial token?

I've tried various settings, like 
OpenID.ReturnAttrs="group=groups"

OpenID.ReturnAttrs="groups=groups"

...

OpenID.ReturnAttributes="groups=groups"

and include "groups" in the scopes list. None of these attempts have worked. 

Any help is greatly appreciated. 

Thanks

Chris

[Christian Sepulveda]

Related, when I look at the config

<host>/webapps/openid/.well-known/openid-configuration

I get this elements

{

...
   "scope_supported": [
        "basic",
        "openid",
        "email",
        "phone",
        "profile",
        "groups"
    ],
    "claims_supported": [
        "sub",
        "email",
        "email_verified",
        "phone_number",
        "phone_number_verified",
        "preferred_username",
        "preferred_language",
        "given_name",
        "family_name",
        "name",
        "mfa-policy",
        "group",
        "groups",
        "role"
    ]

}
How can I get group, groups or role in the claim? I am sending "groups" in the scopes, but as noted, I haven't gotten this working. (I also can't get email to come back in the token, with "profile email" in the scope. 

There might be some basic config I am missing. 

[Benoît Jager (RCDevs)]

Hello,

What did you configured in the following setting of your openid configuration:

Regarding Openid.ReturnAttrs, you can remove this setting as this is related to SAML.

Best regards

[Christian Sepulveda]

I've tried both with nothing checked, so it (theoretically) allows all scopes. I've also tried explicitly checking all the options. I don't see any difference between either configuration.

[Christian Sepulveda]

Regarding Openid.ReturnAttrs, you can remove this setting as this is related to SAML.

Best regards

Also, if this is only for SAML, how would I set the extra claims, as noted in the release notes for  
 v1.2.4 (https://www.rcdevs.com/downloads/viewer/1/Enterprise/Changelog_openid.txt/),

"- Fixed OpenID-Connect claims issues and added support for extra claims.
      > Addtional claims are confirgured via the ReturnAttributes setting."

Thanks

[Benoît Jager (RCDevs)]

Hello,

For openid, you have to configure what are the allowed scopes so they can be sent by openid, but your SP must explicitly ask for them.

Can you then check that you ask for them. Scope parameter should be set like this during request to OpenID:

scope=openid%20email%20phone%20profile%20groups

Kind regards / Cordialement

[Christian Sepulveda]

Thanks for the reply. 

To clarify, would I need to set this scope in the original redirect to the webadm login page or in the token call (exchanging token)? In any event, I tried it it both and verified the scope was set (looking at network requests in Chrome Dev Tools). Unfortunately, I don't see any change in the returned JWT. 

Is there anything I need to do on the OpenID or client policy config? 

I appreciate the help and wonder if there is a missing config that might be assumed, but is the reason I don't get groups as a claim in the JWT.