Getting Groups claims via OIDC

[mounirmesselmeni]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [x] This issue affects my Ory Network project.
• [X] I have joined the Ory Community Slack.
• [ ] I am signed up to the Ory Security Patch Newsletter.

Describe your problem

I’m trying the Ory cloud to make more progress with the auth flow, I’m using OIDC with Ory but I’m struggling to get the user’s groups memberships with the userinfo results. Now I’m getting this despite adding (group or groups to the requested scopes)

{
    "amr": [
        "password"
    ],
    "aud": [
        "xxxxxx-4dc9-8094-7d4926d3350e"
    ],
    "auth_time": 1678204037,
    "email": "[email protected]",
    "email_verified": true,
    "iat": 1678204043,
    "iss": "https: //pedantic-kilby-s9jc724ku9.projects.oryapis.com",
    "rat": 1678204033,
    "sub": "zxxxxxxx-d186-4251-8369-xxxxxxx"
}

Those are the relationships defined in the UI (I set them using the CLI) I’m using the default permissions modelling/rules:

import { Namespace, SubjectSet, Context } from "@ory/permission-namespace-types"

/*
Define your OPL rules here. Some examples:
*/
class User implements Namespace {
  related: {
    manager: User[]
  }
}

class Group implements Namespace {
  related: {
    members: (User | Group)[]
  }
}

class Folder implements Namespace {
  related: {
    parents: (File | Folder)[]
    viewers: SubjectSet<Group, "members">[]
  }

  permits = {
    view: (ctx: Context): boolean =>
      this.related.viewers.includes(ctx.subject) ||
      this.related.parents.traverse((p) => p.permits.view(ctx)),
  }
}

class File implements Namespace {
  related: {
    parents: (File | Folder)[]
    viewers: (User | SubjectSet<Group, "members">)[]
    owners: (User | SubjectSet<Group, "members">)[]
  }

  permits = {
    view: (ctx: Context): boolean =>
      this.related.parents.traverse((p) => p.permits.view(ctx)) ||
      this.related.viewers.includes(ctx.subject) ||
      this.related.owners.includes(ctx.subject),

    edit: (ctx: Context) => this.related.owners.includes(ctx.subject),
  }
}

thanks in advance

Describe your ideal solution

Getting the groups the user is membership on

Workarounds or alternatives

Nothing found yet as a workaround

Version

lastest // using cloud solution

Additional Context

No response

[zepatrik]

This is kinda related to #261 but instead of traits we want to add certain relationships.

[aeneasr]

@mounirmesselmeni thank you for the report! Unfortunately, the data from Ory Keto does not automatically populate into the ID token. I think that's a great idea though, I'm just not fully sure yet how that could work.

To populate the ID token with any data you want, you can write a custom consent endpoint. A guide for that is here: https://www.ory.sh/docs/hydra/guides/custom-ui-oauth2

You won't need to customize the login endpoint, only the consent endpoint. Using a custom consent endpoint, you can basically say what data goes into your tokens.

Hope this helps!