0

We are integrating PingID Connect with our application, which is a Single Page App (SPA), the SPA "bundler" sits on a tomcat app server behind a apache reverse proxy, the apache reverse proxy also acts a proxy for all the API calls the app makes,

We are integrating with apache module mod_auth_openidc, Our clients are authenticated through Ping against a corp Active Directory(AD) Store The app has Role based Access using AD Groups,

We would like to integrate AD group based access through OpenID/OAuth - the AD groups are sent as claims in the id_token However it seems that we get the claims (through id_token) only after we post the auth_code to the auth endpoint (which also has scope as input param),

So we have no way of selecting a scope based on a AD Group ? If yes, does this mean we have to have custom role based matrix store which map to each scope defined ? Any suggestions are most welcome.

  • I don't see how you would "select a scope based on an AD group". The scope is something the Client sends right away with the authentication request, before the user has authenticated. It is thus independent of groups or even users. If you want to base access on AD group membership you should just do that with the existing `Require claim memberOf:` capability, independent of scopes. – Hans Z. Apr 17 '17 at 16:22
  • Thanks @HansZ. That makes sense! – user1662554 Apr 19 '17 at 08:42

0 Answers0