/tokenInfo Endpoint retrieving isMemberOf group information with Tivoli

This topic has 6 replies, 2 voices, and was last updated 6 years, 2 months ago by Fernando A. Barbeiro Campos.

  • Author
  • #13092

    Hi guys,

    Simple question:
    I had configured an OpenDJ as my DataStore and once I assigned a user to a group, I could retrieve it through the /openam/oauth2/tokeninfo?access_token=XXXXX endpoint (yes I’m dealing with OAuth2 providers and the value of groups returns since I had “isMemberOf” among my scopes and once I had defined under my datastore, LDAP User Attributes, this isMemberOf value).

    The issue is that now we are using a Tivoli Directory Service instead of OpenDJ, and although my configuration via Console Admin is still retrieving and filling Subjects / Users / Groups pretty well, my /tokenInfo endpoint doesn’t provide anymore the information regarding groups assignation.

    My question: do I need to change anything to have it working?

    Any suggestion will be extremely appreciated.

    Thanks in advance.


    Just in order to provide further details:

    This is a CURL with OpenDJ as DataStore
    $ curl http://openam.example.com:8080/openam/oauth2/tokeninfo?access_token=XXXXYYYY

    {"scope":"isMemberOf"],"realm":"/employee","isMemberOf":"cn=ROLE_EMPLOYEE,ou=groups,ou=employee,dc=example,dc=com","token_type":"Bearer","expires_in":22,"client_id":"poc", "access_token":"XXXXYYYY","grant_type":"password"}

    Meanwhile, this same CURL with Tivoli as DataStore
    $ curl http://openam.example.com:8080/openam/oauth2/tokeninfo?access_token=XXXXYYYY

    Any suggestion?


     Andrew Potter

    I think Tivoli uses ‘memberOf’, rather than ‘isMemberOf’ by default.


    Great, thanks @andrew-potter

    I’m gonna try and I’ll share the result.



    At the end of the day, the attribute that I need to add to my LDAP User Attributes, as well as to my scope was “ibm-allgroups”.

    Thanks for the collaborations Andrew.

     Andrew Potter

    perfect, glad you got it sorted :)

    just a thought, if you wanted the behaviour to be consistent, would setting the ‘Attribute Name Mapping’ in the DataStore settings so that isMemberOf is mapped to ‘ibm-allgroups’ mean you could use isMemberOf in the scope list instead? i.e. provide consistency at the OpenAM interface irrespective of underlying repository schema.


    Good suggestion @andrew-potter, I completely agree with you. I’ll try as soon as possible.

    Thanks again :D


Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?