Alternative roles field

[jasonpincin]

It would be awesome if we could specify an alternative roles field. Some oauth2 providers do not allow roles to be set, but rather insist on name-spacing the roles field (looking at you Auth0). Perhaps in the UI, within the Adjustments section, similar to how you have an Alternative id key field, there could be an Alternative roles key field? Or even just a Roles namespace,

As a concrete example, the userinfo endpoint for our implementation returns a payload that contains the following:

{ 
  ...
  email_verified: true,
  'https://ourdomain.gg/roles': [ 'Group1 Member', 'Group2 Member' ]
}

[julianlam]

Yep this is fine, will add.

[julianlam]

While I have you, is the roles parameter name returned in the discovery endpoint?

https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

Cursory review says no 😞

[jasonpincin]

No; it can only be done with a custom claim in Auth0 (via an "Action"). There's no way for it to know and advertise it via the discovery endpoint (that I know of).

[VictorElHajj]

Authentikat for example returns "groups" instead of roles.

[digital-pet]

Authentikat for example returns "groups" instead of roles.

So does allianceauth-oidc-provider

[FreeSynergy]

Hi ...

How far along is this feature in development? I also need the groups or organizations in Fedora.

All you have to do is select a different claim in the XML. That's all. Another field where the claim can be entered, what should be selected, and the plugin works much better for many people ...

Is this still being worked on???

Best regards and thanks for the great work.

Best regards,
Kal

Translated with DeepL.com (free version)