Get scopes context from property mappings.

[marcportabellaclotet-mt]

Here’s a rephrased version:

I am configuring custom scopes in my OIDC application (HashiCorp Vault) to filter which groups are returned. These custom scopes replace the default profile scope. I want to apply an additional filter on the groups returned, based on these custom scopes.

For example, if I define a custom scope called role:administrator, I want the groups returned to only include the "administrator" group, provided the user is a member of it.

In the scope mappings under property mappings, I haven't found a way to access context.scopes values, which are visible in the application's authorized context. Is there a way to retrieve these values within the scope mapping?

Here’s my current scope mapping configuration.

groups = [group.name for group in request.user.ak_groups.filter(attributes__app='vault')]

return {
    "name": request.user.name,
    "given_name": request.user.name,
    "preferred_username": request.user.username,
    "nickname": request.user.username,
    "groups": groups,  
}

My ultimate goal is to return only the groups that correspond to the role selected in Vault.
There may be alternative approaches to achieve this. I have successfully managed it with Keycloak and Auth0.
Any assistance would be greatly appreciated.

[marcportabellaclotet-mt]

I am able to get the scopes list in the application expression policy:

scopeList=request.http_request.GET.get('scope', '')

Now I need that this value is available in the property mapping (scope mapping) to apply some filter logic.

I am able to pass via ugly workarounds, but it would be nice to have a easier way to pass these or other values. Something similar to flows, where infomation can be passed through stages,