When using pac4j with OIDC, I am able to see groups and/or roles in the log:
2022-09-24 10:25:06,600 DEBUG filter.Pac4jIdentityAdapter
(Pac4jIdentityAdapter.java:doFilter(92)) - User authenticated as:
#OidcProfile# | id: [REDACTED] | attributes: {sub=[REDACTED],
amr=["pwd"], roles=["My role"],
iss=https://sts.windows.net/[REDACTED]/, oid=[REDACTED],
preferred_username=[REDACTED], tid=[REDACTED], ipaddr=[REDACTED],
exp=Sat Sep 24 11:25:05 CEST 2022, iat=Sat Sep 24 10:20:05 CEST 2022,
email=[REDACTED], ver=1.0, groups=["[\"group1\",\"group2\"]"],
uti=[REDACTED], given_name=[REDACTED], token_expiration_advance=-1,
aud=[[REDACTED]], unique_name=[REDACTED], nbf=Sat Sep 24 10:20:05 CEST
2022, idp=live.com, rh=[REDACTED], name=[REDACTED], expiration=Sat Sep
24 11:25:04 CEST 2022, family_name=[REDACTED]} | roles: [] |
permissions: [] | isRemembered: false | clientName: OidcClient |
linkedId: null |
In the above, notice that the middle part contains values for "roles"
and "groups".
Now, neither of those are written into the JWT (hadoop-jwt) cookie.
The JWT payload:
{
"sub": "[REDACTED]",
"kid": "[REDACTED]",
"iss": "KNOXSSO",
"exp": 1664094307,
"managed.token": "false",
"knox.id": "[REDACTED]"
}
This happens even though I have:
pac4j.session.store.exclude.groups=false
pac4j.session.store.exclude.roles=false
Are groups and/or roles not supposed to be written into the JWT with
these settings?
Cheers
