We have decided to define ClientData as the user data contract containing identifier, name and also groups.
We have learned that not all IAM providers allow to provide user groups with the user token, although they are OIDC compliant. Groups is not a standard claim, as per https://openid.net/specs/openid-connect-core-1_0.html#Claims.
We want to allow querying groups via IdentityManagement Plugin for such cases.
Todos:
verify feasibility
extend ClientData verification to query groups from IAM for an authenticated user
Feature Flag
OR standard behaviour identified by a flag set in ClientData header
We have decided to define
ClientDataas the user data contract containing identifier, name and also groups.We have learned that not all IAM providers allow to provide user groups with the user token, although they are OIDC compliant.
Groupsis not a standard claim, as per https://openid.net/specs/openid-connect-core-1_0.html#Claims.We want to allow querying groups via IdentityManagement Plugin for such cases.
Todos:
verify feasibility
extend ClientData verification to query groups from IAM for an authenticated user
Feature Flag
OR standard behaviour identified by a flag set in ClientData header