Return Groups with Oauth2/OIDC

Dear Team,

with SAML2 it is possible to retrun User-Groups after authentication within the SAML2 request.

Is that also be possible by using OIDC/Oauth2?

Unfortunately i was not able to find any information.

At this moment it seems it is not possible because "socpe" is missing of the"groups" attribute.

Tags:

  • Suggested Answer

    0  

    Hello Kevin,

    In order to see the user group names of an user these can be return with the userGroups attribute.

    For OSP/OAuth2 see:

    OAuth 2.0 Attributes - Advanced Authentication - Administration (netiq.com)

     

    For example, using SLAnalyzer: Tools->Advanced Authentication->OSP/OAuth2.

     

    Steps to get attribute data…

    Click option 1 to get auth token

    Click option 2 to get access token

    Click next to last option labeled (Click here to obtain list of attributes for the authenticated user.)

     

    OAuth Attributes

    **********

    {

      "aud":"id-lmvBbgvWuYbh2zRVKpgyeKhnBpyth7kcx",

      "auth_time":"1707843146473",

      "cn":"Administrator",

      "dn":"CN=Administrator,CN=Users,DC=xxxxxxx,DC=novellxx,DC=com",

      "eventChains":[

        "{\"methods\":[\"LDAP_PASSWORD:1\"],\"is_trusted\":false,\"position\":0,\"short_name\":\"\",\"risk_level\":\"NONE\",\"is_enabled\":true,\"name\":\"LDAP Password Only\"}",

        "{\"methods\":[\"EMERG_PASSWORD:1\",\"BLUETOOTH_ESEC:1\"],\"is_trusted\":false,\"position\":1,\"short_name\":\"\",\"risk_level\":\"NONE\",\"is_enabled\":true,\"name\":\"BlueToothAndEmergency\"}",

        "{\"methods\":[\"CARD:1\"],\"is_trusted\":false,\"position\":2,\"short_name\":\"\",\"risk_level\":\"NONE\",\"is_enabled\":true,\"name\":\"Card only\"}",

        "{\"methods\":[\"EMAIL_OTP:1\"],\"is_trusted\":false,\"position\":3,\"short_name\":\"\",\"risk_level\":\"NONE\",\"is_enabled\":true,\"name\":\"Email Only\"}",

        "{\"methods\":[\"FACE:1\"],\"is_trusted\":false,\"position\":6,\"short_name\":\"\",\"risk_level\":\"NONE\",\"is_enabled\":true,\"name\":\"FaceOnly\"}",

        "{\"methods\":[\"FINGER:1\"],\"is_trusted\":false,\"position\":7,\"short_name\":\"\",\"risk_level\":\"NONE\",\"is_enabled\":true,\"name\":\"FingerPrint Only\"}",

        "{\"methods\":[\"PASSWORD:1\",\"LDAP_PASSWORD:1\"],\"is_trusted\":false,\"position\":10,\"short_name\":\"\",\"risk_level\":\"NONE\",\"is_enabled\":true,\"name\":\"LDAP and Password\"}",

        "{\"methods\":[\"LDAP_PASSWORD:1\",\"EMERG_PASSWORD:1\"],\"is_trusted\":false,\"position\":11,\"short_name\":\"\",\"risk_level\":\"NONE\",\"is_enabled\":true,\"name\":\"LDAPAndEmergency\"}",

        "{\"methods\":[\"LDAP_PASSWORD:1\",\"SMS_OTP:1\"],\"is_trusted\":false,\"position\":13,\"short_name\":\"\",\"risk_level\":\"NONE\",\"is_enabled\":true,\"name\":\"Password and SMS OTP\"}",

        "{\"methods\":[\"RADIUS:1\"],\"is_trusted\":false,\"position\":14,\"short_name\":\"\",\"risk_level\":\"NONE\",\"is_enabled\":true,\"name\":\"Radius Only\"}",

        "{\"methods\":[\"SECQUEST:1\"],\"is_trusted\":false,\"position\":16,\"short_name\":\"\",\"risk_level\":\"NONE\",\"is_enabled\":true,\"name\":\"Security questions only\"}",

        "{\"methods\":[\"TOTP:1\"],\"is_trusted\":false,\"position\":17,\"short_name\":\"\",\"risk_level\":\"NONE\",\"is_enabled\":true,\"name\":\"TOTP only\"}",

        "{\"methods\":[\"VOICE_OTP:1\"],\"is_trusted\":false,\"position\":18,\"short_name\":\"\",\"risk_level\":\"NONE\",\"is_enabled\":true,\"name\":\"Voice OTP only\"}",

        "{\"methods\":[\"VOICE:1\"],\"is_trusted\":false,\"position\":19,\"short_name\":\"\",\"risk_level\":\"NONE\",\"is_enabled\":true,\"name\":\"Voice Only\"}",

        "{\"methods\":[\"EMERG_PASSWORD:1\",\"PASSWORD:1\"],\"is_trusted\":false,\"position\":22,\"short_name\":\"\",\"risk_level\":\"NONE\",\"is_enabled\":true,\"name\":\"passwordAndEmergency\"}"

      ],

      "event_name":"My OSP",

      "exp":"1707843251",

      "iat":"1707843131",

      "iss":https://example.com/osp/a/TOP/auth/oauth2,

      "user_email":exampleemail@gmail.com,

      "user_mobile_phone":"xxxxxxxxxxxx",

      "user_name_netbios":"XXXXXX\\Administrator",

      "objectid":"3ab9e64a18d7e1459e03be37c5f07a55",

      "sAMAccountName":"Administrator",

      "user_sid":"S-1-5-21-1927949721-4245404851-362657367-500",

      "sub":"as\\-aa-6573f2a6f4317ec114f7ee15fc948c9x0",

      "userGroups":[

        "CN=Schema Admins,CN=Users,DC=xxxxxx,DC=novellxx,DC=com",

        "CN=Enterprise Admins,CN=Users,DC=xxxxxx,DC=novellxx,DC=com",

        "CN=Domain Admins,CN=Users,DC=xxxxxxx,DC=novellxx,DC=com",

        "CN=Group Policy Creator Owners,CN=Users,DC=xxxxxx,DC=novell,DC=com",

        "CN=Domain Users,CN=Users,DC=xxxxxxx,DC=novellxx,DC=com",

        "CN=Denied RODC Password Replication Group,CN=Users,DC=xxxxxxx,DC=novellxx,DC=com",

        "CN=LegacyLogon,CN=Users,DC=xxxxxx,DC=novellxx,DC=com"

      ],

      "UserId":"6573f2a6f4317ec114f7ee15fc948c90x",

      "userimmutableid":"OrnmShjX4UWeA743xfB6VQx==",

      "user_name":"Administrator",

      "repository_name":"REPONAME"

    }

  • 0 in reply to   

    Unfortunately specifically the "usersGroup" Attribute and some others are missing within the documentation: OAuth 2.0 Attributes - Advanced Authentication - Administration (netiq.com)

    Please forward this internaly that the documentation will be refreshed.