/tokenInfo Endpoint retrieving isMemberOf group information with Tivoli

This topic has 6 replies, 2 voices, and was last updated 6 years, 2 months ago by Fernando A. Barbeiro Campos.

  • Author
    Posts
  • #13092

    Hi guys,

    Simple question:
    I had configured an OpenDJ as my DataStore and once I assigned a user to a group, I could retrieve it through the /openam/oauth2/tokeninfo?access_token=XXXXX endpoint (yes I’m dealing with OAuth2 providers and the value of groups returns since I had “isMemberOf” among my scopes and once I had defined under my datastore, LDAP User Attributes, this isMemberOf value).

    The issue is that now we are using a Tivoli Directory Service instead of OpenDJ, and although my configuration via Console Admin is still retrieving and filling Subjects / Users / Groups pretty well, my /tokenInfo endpoint doesn’t provide anymore the information regarding groups assignation.

    My question: do I need to change anything to have it working?

    Any suggestion will be extremely appreciated.

    Thanks in advance.

    #13111

    Just in order to provide further details:

    This is a CURL with OpenDJ as DataStore
    $ curl http://openam.example.com:8080/openam/oauth2/tokeninfo?access_token=XXXXYYYY

    {"scope":"isMemberOf"],"realm":"/employee","isMemberOf":"cn=ROLE_EMPLOYEE,ou=groups,ou=employee,dc=example,dc=com","token_type":"Bearer","expires_in":22,"client_id":"poc", "access_token":"XXXXYYYY","grant_type":"password"}

    Meanwhile, this same CURL with Tivoli as DataStore
    $ curl http://openam.example.com:8080/openam/oauth2/tokeninfo?access_token=XXXXYYYY
    {"scope":"isMemberOf"],"realm":"/employee","isMemberOf":"","token_type":"Bearer","expires_in":375,"client_id":"poc","access_token":"XXXXYYYY","grant_type":"password"}

    Any suggestion?

    Thanks,

    #13116
     Andrew Potter
    Participant

    I think Tivoli uses ‘memberOf’, rather than ‘isMemberOf’ by default.

    #13117

    Great, thanks @andrew-potter

    I’m gonna try and I’ll share the result.

    Regards

    #13132

    At the end of the day, the attribute that I need to add to my LDAP User Attributes, as well as to my scope was “ibm-allgroups”.

    Thanks for the collaborations Andrew.

    #13145
     Andrew Potter
    Participant

    perfect, glad you got it sorted :)

    just a thought, if you wanted the behaviour to be consistent, would setting the ‘Attribute Name Mapping’ in the DataStore settings so that isMemberOf is mapped to ‘ibm-allgroups’ mean you could use isMemberOf in the scope list instead? i.e. provide consistency at the OpenAM interface irrespective of underlying repository schema.

    #13146

    Good suggestion @andrew-potter, I completely agree with you. I’ll try as soon as possible.

    Thanks again :D

    Regards,

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?