Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How can I properly integrate this with user groups? #47

Open
pablote opened this issue May 17, 2022 · 1 comment
Open

How can I properly integrate this with user groups? #47

pablote opened this issue May 17, 2022 · 1 comment
Labels
bug Something isn't working

Comments

@pablote
Copy link

pablote commented May 17, 2022

Describe the bug?

I need to receive groups information for the authenticated user. Based on the docs I added the groups scope on the ExpressOIDC initialization, and by doing this I'm receiving a list of groups the authenticated users belongs to.

The problem is, any change done in Okta, wether removing or adding a group to a user, has no impact on the list of groups I get on the user I get from the middleware, it's like it's stuck on whatever groups it had the moment it logged in.

What would be the right way to get an up to date list of groups an authenticated user belongs to? Is this something I can do at the application level, or it must be supported withing this lib?

What is expected to happen?

req.userContext.groups contains an up to date list of user's groups when a new request comes in

What is the actual behavior?

req.userContext.groups is stuck at whatever groups the user had the moment it logged in

Reproduction Steps?

Just add the groups scope to the ExpressOIDC constructor on the scope property.

SDK Versions

@okta/oidc-middleware: 4.5.1

Execution Environment

NodeJs v14. MacOS 12 for development, node:14-alpine docker image for deployed environments.

Additional Information?

No response
@pablote pablote added the bug Something isn't working label May 17, 2022
@denysoblohin-okta
Copy link
Contributor

denysoblohin-okta commented May 17, 2022
edited
Loading

req.userContext returns claims inside ID token.
If groups are changed after obtaining token, you need to use API call like /v1/userinfo
You can use okta-auth-js for this as it works in Node.js environment
Example:

const { OktaAuth } = require('@okta/okta-auth-js');

    this.authClient = new OktaAuth({
      url: 'https://<your org>.okta.com',
      scopes: ['openid', 'email', 'groups', 'profile'],
      issuer: 'https://<your org>.okta.com/oauth2/default',
      clientId: <client_id>,
      clientSecret: <client_secret>,
    });

      const userinfo = await this.authClient.token.getUserInfo(
        {
          accessToken: req.userContext.tokens.access_token,
          userinfoUrl: 'https://<your org>.okta.com/oauth2/default/v1/userinfo'
        }, {
          idToken: req.userContext.tokens.id_token,
          claims: req.userContext.userinfo
        }
      );
      console.log(userinfo.groups);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pablote @denysoblohin-okta