OpenID Connect Support#
The Argus Identity Provider supports OpenID Connect, allowing integration with most standard OpenID-supporting clients.
By integrating using OpenID Connect, the 3rd party application can
authenticate users from Argus
get information about the current user from Argus (such as name, email, phone, user image)
fetch the users group membership
custom claims (which are supported by Argus)
Enabling OpenID Connect#
To enable OpenID connect, the client must specify scope=openid
to the authorization request.
Example:
https://portal.mnemonic.no/spa/authentication/oauth/authorize?client_id=021269c5-04c3-4399-a206-32659c489803&redirect_uri=https://my.application/oauth/callback&response_type=code&scope=openid
The client can request additional scopes supported by Argus, to add more claims to the id token. Scopes should be listed as a space-delimited list of scope names:
Example plain text scopes:
openid groups profile
Example URI-encoded scopes:
openid%20groups%20profile
Valid scopes in Argus#
groups
adds a claim
groups
which contains a JSON array of group shortnames:
"groups": [
"mygroup1",
"mygroup2"
]
groupstring
adds a claim “groupstring” with a string-encoded JSON array of group shortnames (which is required by some OpenID clients)
"groupstring": "[\"mygroup1\",\"mygroup2\"]"
Note
groups and groupstring claims are deprecated, as the groups to expose to 3rd party clients need custom configuration to control which groups to expose. See Custom claims below.
customer
adds three claims with information about the domain and customer which the identified user is assigned to
Note
this does not provide any information about permissions given to this user
"customer_id": 1,
"domain_id": 1,
"customer_shortname": "mycustomer",
"customer_name": "My Customer"
email
adds a claim
email
"email": "user@domain.com"
profile
adds claims for username, name and picture URI
"username": "myusername",
"name": "My Users Name",
"picture": "https://api.mnemonic.no/users/v2/user/1000/picture"
clientip
adds a claim “client_ip” which contains the IP which this user session is bound to (which may be used to verify that requests are indeed coming from this IP).
Note
This is the IP as seen by Argus, so will not show a users private IP inside a NATed network or behind a proxy..
"client_ip": "94.127.56.1"
Custom OpenID Claims#
Argus supports a set of custom claims, which can be configured when setting up the client, to provide specific mapping.
User Groups Claim#
This provider will generate a claim “groups” containing a list of group shortnames which the user is member of, from a list of allowed groups. This allows the client to be configured to only expose a certain set of groups.
The “stringified” option allows the client to be configured to return as a “stringified” claim, with a json string of a json array, which some OpenID clients require. The default is to return a list claim with each group shortname as a list item.
To configure this provider, use the following configuration format
{
"openIDCustomClaims": [
{
"provider": "userGroups",
"configuration": {
"stringified": false,
"allowedGroups": ["group1", "group2"]
}
}
]
}
With the above configuration, if the current user was member of “group1” (but not group2), it would produce the following claim:
"groups": ["group1"]
Note
This provider should be used to replace the “groups” or “groupstring” scope
Function Role Mapping Claim#
This provider will generate a custom claim containing a list of “roles”, where each role is mapped to an Argus function. Of the configured roles, the claim will be populated only with the roles for which the user is granted. If the OAuth client is defined for a specific customer, the function must be granted for that customer.
Example:
We want to map functions argusFunction1
and argusFunction2
for the clients customer to roles customRole1
and customRole2
.
if the user has permission to
argusFunction1
for the clients customer, the provider would create the claim"TheCustomClaimName": ["customRole1"]
if the user has permission to
argusFunction2
for the clients customer, the provider would create the claim"TheCustomClaimName": ["customRole2"]
if the user has permission to both
argusFunction1
andargusFunction2
for the clients customer,
To configure this provider, use the following configuration format
{
"openIDCustomClaims": [
{
"provider": "functionRoleMapping",
"configuration": {
"claimName": "TheCustomClaimName",
"roleMapping": {
"argusFunction1": "customRole1",
"argusFunction2": "customRole2"
}
}
}
]
}
The provider would create the claim
"TheCustomClaimName": ["customRole1", "customRole2"]