Retrieve roles and scopes

Retrieve the OpenID Connect/OAuth2 Single sign-on (SSO) roles and scopes in your Genero application.

The Genero OpenIDConnect service creates an environment variable called OIDC_SCOPES (OIDC stands for OpenID Connect) containing the list of roles and scopes provided by the identity provider.

A role is the mechanism in OAuth 2.0 that determines who can access the application, and scopes can determine the level of access to a resource based on the functionality or security needed. For example, a scope may allow the application to read but not write data on behalf of the user.

Roles and scopes are available after the user has been successfully authenticated, and can be retrieved in the application.

The identity provider may provide the roles and scopes either in the id token or the access token, or both. By default, the id token is decoded, but the access token does not get decoded; therefore, to ensure that all roles and scopes are retrieved, you need to configure for the decoding of the access token too:

Open the configuration file $FGLDIR/web_utilities/services/openid-connect/res/configuration.
Locate the entry oidc.accesstoken.decode and set the value to "true" (default is false).

The OpenIDConnect service will merge the roles and scopes found in the id token with those found in the access token, and duplicates will be ignored.

On the application side, the list of roles and scopes can be retrieved using the fglgetenv() instruction:

To retrieve the list of roles and scopes, add this code to your Genero application:

LET scopes = fgl_getenv("OIDC_SCOPES")