We are integrating PingID Connect with our application, which is a Single Page App (SPA), the SPA "bundler" sits on a tomcat app server behind a apache reverse proxy, the apache reverse proxy also acts a proxy for all the API calls the app makes,
We are integrating with apache module mod_auth_openidc, Our clients are authenticated through Ping against a corp Active Directory(AD) Store The app has Role based Access using AD Groups,
We would like to integrate AD group based access through OpenID/OAuth - the AD groups are sent as claims in the id_token However it seems that we get the claims (through id_token) only after we post the auth_code to the auth endpoint (which also has scope as input param),
So we have no way of selecting a scope based on a AD Group ? If yes, does this mean we have to have custom role based matrix store which map to each scope defined ? Any suggestions are most welcome.