Filter OIDC managed groups

This page describes how to use filters with OIDC managed groups. It assumes that the reader is familiar with the general filter syntax as well as with OpenID Connect.

Note: This feature was introduced in Boundary 0.3.0.

Currently, two blocks of data are available for these filters:

/token/<claims> contains claims from the JWT returned by the OIDC Identity Provider (IdP). For example, /token/sub is the "sub" claim from the token.
/userinfo/<claims> contains claims from the UserInfo endpoint.

Examples

As the content of these claims is specific to the given IdP (other than those claims mandated by the OIDC specification), no specific syntax can be conveyed, but some examples are given below using contrived sets of claims.

Given the example claims below:

Example JWT claims:

{
  "iss": "https://server.example.com",
  "sub": "24400320",
  "aud": "s6BhdRkqt3",
  "nonce": "n-0S6_WzA2Mj",
  "exp": 1311281970,
  "iat": 1311280970,
  "auth_time": 1311280969,
  "custom": {
    "department": "infosec"
  }
}

Example UserInfo claims:

{
  "roles": ["user", "operator"],
  "sub": "alice@example.com",
  "email": "rabbithole@example.com",
  "name": "Alice of Wonderland"
}

Following are some examples of using these values in filters:

"operator" in "/userinfo/roles" would match users (like Alice) that have "operator" in the roles returned in the UserInfo reply.
"/token/custom/department" == "infosec" or "/token/custom/department" == "ops" would match users (like Alice) that are either in the ops or infosec departments.