yii2-authclient icon indicating copy to clipboard operation
yii2-authclient copied to clipboard

Published 20 hours ago verified publisher icon yiisoft

OpenID Connect `group` claim support

Open azmeuk opened this issue 4 years ago • 4 comments

I suggest reading the groups a user belongs to from a group claim in the user JWT. There is currently no standard around a OIDC group claim, but this can be done with a configuration parameter to chose which claim should be used. This is how nextcloud-oidc-login handles it, for instance.

What do you think? Would you accept such a patch?

azmeuk avatar Oct 21 '21 12:10 azmeuk

How standard is it? Any use-cases other than nextcloud?

samdark avatar Oct 21 '21 12:10 samdark

nextcloud-oidc-login is not a usecase for yii, it is an example of a OIDC client that handles a group claim.

There is no actual standard (RFC or whatever) but a strong convention among the OIDC players. However as there is no standard, the different identity providers use different claims to communicate the groups a user belongs to. This is why I suggest adding a configuration option so one can choose the right claim in which to read the user groups.

azmeuk avatar Oct 21 '21 12:10 azmeuk

Sounds alright. Have time for a pull request?

samdark avatar Oct 21 '21 14:10 samdark

Not in a near future, but I would be OK to tackle this.

azmeuk avatar Oct 21 '21 14:10 azmeuk