/tokenInfo Endpoint retrieving isMemberOf group information with Tivoli

Home Forums ForgeRock Products Access Management /tokenInfo Endpoint retrieving isMemberOf group information with Tivoli

Learn more about our upcoming Identity Summits

Tagged: , , ,

This topic has 6 replies, 2 voices, and was last updated 5 years, 10 months ago by Fernando A. Barbeiro Campos.

  • Author
    Posts
  • September 19, 2016 at 5:37 pm #13092
     Fernando A. Barbeiro Campos
    Participant

    Hi guys,

    Simple question:
    I had configured an OpenDJ as my DataStore and once I assigned a user to a group, I could retrieve it through the /openam/oauth2/tokeninfo?access_token=XXXXX endpoint (yes I’m dealing with OAuth2 providers and the value of groups returns since I had “isMemberOf” among my scopes and once I had defined under my datastore, LDAP User Attributes, this isMemberOf value).

    The issue is that now we are using a Tivoli Directory Service instead of OpenDJ, and although my configuration via Console Admin is still retrieving and filling Subjects / Users / Groups pretty well, my /tokenInfo endpoint doesn’t provide anymore the information regarding groups assignation.

    My question: do I need to change anything to have it working?

    Any suggestion will be extremely appreciated.

    Thanks in advance.

    September 20, 2016 at 8:31 am #13111
     Fernando A. Barbeiro Campos
    Participant

    Just in order to provide further details:

    This is a CURL with OpenDJ as DataStore
    $ curl http://openam.example.com:8080/openam/oauth2/tokeninfo?access_token=XXXXYYYY

    {"scope":"isMemberOf"],"realm":"/employee","isMemberOf":"cn=ROLE_EMPLOYEE,ou=groups,ou=employee,dc=example,dc=com","token_type":"Bearer","expires_in":22,"client_id":"poc", "access_token":"XXXXYYYY","grant_type":"password"}

    Meanwhile, this same CURL with Tivoli as DataStore
    $ curl http://openam.example.com:8080/openam/oauth2/tokeninfo?access_token=XXXXYYYY
    {"scope":"isMemberOf"],"realm":"/employee","isMemberOf":"","token_type":"Bearer","expires_in":375,"client_id":"poc","access_token":"XXXXYYYY","grant_type":"password"}

    Any suggestion?

    Thanks,

    September 20, 2016 at 10:09 am #13116
     Andrew Potter
    Participant

    I think Tivoli uses ‘memberOf’, rather than ‘isMemberOf’ by default.

    September 20, 2016 at 10:19 am #13117
     Fernando A. Barbeiro Campos
    Participant

    Great, thanks @andrew-potter

    I’m gonna try and I’ll share the result.

    Regards

    September 20, 2016 at 2:49 pm #13132
     Fernando A. Barbeiro Campos
    Participant

    At the end of the day, the attribute that I need to add to my LDAP User Attributes, as well as to my scope was “ibm-allgroups”.

    Thanks for the collaborations Andrew.

    September 20, 2016 at 3:59 pm #13145
     Andrew Potter
    Participant

    perfect, glad you got it sorted :)

    just a thought, if you wanted the behaviour to be consistent, would setting the ‘Attribute Name Mapping’ in the DataStore settings so that isMemberOf is mapped to ‘ibm-allgroups’ mean you could use isMemberOf in the scope list instead? i.e. provide consistency at the OpenAM interface irrespective of underlying repository schema.

    September 20, 2016 at 4:04 pm #13146
     Fernando A. Barbeiro Campos
    Participant

    Good suggestion @andrew-potter, I completely agree with you. I’ll try as soon as possible.

    Thanks again :D

    Regards,

  • Author
    Posts
Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

Leaderboard

The leaderboard is based on our rockin' informal points system, read about it here.
Visit our blog

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?