Alternative roles field

[jasonpincin]

It would be awesome if we could specify an alternative roles field. Some oauth2 providers do not allow roles to be set, but rather insist on name-spacing the roles field (looking at you Auth0). Perhaps in the UI, within the Adjustments section, similar to how you have an Alternative id key field, there could be an Alternative roles key field? Or even just a Roles namespace,

As a concrete example, the userinfo endpoint for our implementation returns a payload that contains the following:

{ 
  ...
  email_verified: true,
  'https://ourdomain.gg/roles': [ 'Group1 Member', 'Group2 Member' ]
}

[julianlam]

Yep this is fine, will add.

[julianlam]

While I have you, is the roles parameter name returned in the discovery endpoint?

https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

Cursory review says no 😞

[jasonpincin]

No; it can only be done with a custom claim in Auth0 (via an "Action"). There's no way for it to know and advertise it via the discovery endpoint (that I know of).

[VictorElHajj]

Authentikat for example returns "groups" instead of roles.

[digital-pet]

Authentikat for example returns "groups" instead of roles.

So does allianceauth-oidc-provider