Option to use 'roles' claim rather than 'groups'

[jamesacris]

Hi. I'm working with an OIDC client - a containerised MISP deployment, the GitHub repo can be found here, and their docs on OIDC integration can be found here)

This client requires me to use the roles claim in the profile to map IAM users to roles in the client, but IAM provides a groups claim to achieve this instead. I would have to either heavily customise the docker image, or contact the developers of the client to use the groups claim instead (worth noting I am currently attempting both of those to see if they'll work).

I wanted to know if it would be feasible for IAM to add a feature that would allow me to simply switch the name of the claim submitted from groups to roles, whilst still using the groups data in IAM.

[norealroots]

A note, as the admin of the IAM instance @jamesacris is looking to integrate: ideally this would be an option configurable on a client-by-client basis, rather than changing groups to roles for all tokens the IAM issues.

Roles seems to be an Azure thing: https://learn.microsoft.com/en-us/azure/active-directory/develop/id-tokens#claims-in-an-id-token, so I assume this is the origin of their use in Misp. From my view, the ideal solution would be an option to specify the claim to be referenced at the Misp-level.

[enricovianello]

Hi all, we briefly discussed this at IAM Hackathon @ CERN and this could be obtained with a not complex development. You probably need a custom JWT profile (ref: https://indigo-iam.github.io/v/v1.8.0/docs/reference/configuration/jwt-profiles/) that we can, for example, call as a "misp" JWT profile. This profile can be written in order to rename the groups claim to roles. This JWT profile can be instructed to be "activated" with a proper system scope that we can also call "misp". This scope can be assigned to clients in order to get custom tokens.

We currently have a default JWT profile (called "iam") and two other custom profiles: aarc and wlcg. This is the aarc profile code package: https://github.com/indigo-iam/iam/tree/master/iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/profile/aarc

We would be very glad to receive contributions in case like this. If you want, you could develop your own "misp" profile and then submit a PR to us that we can review.

[jamesacris]

Hi Enrico, thank you for your reply, it is much appreciated.

Having looked more closely at misp's configuration and hearing from someone who managed to get misp working with the groups claim (NUKIB/misp#72 (comment)), I think the best way forward is to attempt to do a similar thing by editing the misp config. It's possible this might not work, in which case your idea to create a misp jwt profile is a route I will look into.

[enricovianello]

During IAM Hackathon we develop a new “keycloak” JWT profile which customise the access-token/user-info/id-token/introspection endpoint response with claim “roles” instead of “groups” claim.
We tested access-token customisation with jUnit tests. We still need to add more tests in order to check the content of user-info/id-token/introspection responses.
A PR has been added #636

[federicaagostini]

Solved in PR #637