How to specify UI claims in OIDC setup?

Hello, I am finally getting around to trying out the OIDC UI claims functionality you added:

However I then realised I had no idea how to specify the target schema or site area to hide! Is that UI object containing all these settings visible from dev tools anywhere? Most information I could see was in local storage.

If I look at the elements on the Roles page I can see the values are like the following examples:
ui.schemas.hide
image

schema_change-control
image

So are those the values of the claims I should be providing to hide things?

I also according to SquidexClaimsExtensions.GetUIProperties need to provide the following claim type when providing those claim values:
urn:squidex:custom:(my App name)

So in summary I should be adding claims when logging in using code like:
identity.AddClaim("urn:squidex:custom:(my App name)", "ui.schemas.hide", Destinations.IdentityToken);

These are the properties that the UI uses:

1 Like

Ah! Perfect, thanks!

Hello, sorry still struggling with this!

We have tried various different syntaxes but nothing is working so I feel like we are
missing something.

The Claim name we are using (ensuring it is a match for UI properties pattern defined in SquidexClaimsExtensions.GetUIProperties is:
urn:squidex:custom:ourappname

And our OpenIdDict configuration is specifying that as a Claim type we want to persist (originally did not have this so is not working with or without this change, am unsure about it):

"Claims": [
    "email",
    "name",
    "subject",
    "urn:squidex:permissions",
    "urn:squidex:custom:ourappname"
]

We then have tried the following Claim values and none are taking effect (we are deleting the user and clearing cookies before logging in again):

squidex.apps.ourappname.ui.api.hide
squidex.apps.ourappname.ui.contents.ourschemaname.hide
ui.api.hide
ui.contents.ourschemaname.hide

Does anything look obviously wrong here or is there perhaps another bit of configuration for new claim type we might be missing? Apologies if there is documentation covering this, I couldn’t find any so am just basing it on what colleagues previously did for adding the urn:squidex:permissions claim type.

I think you have to add each concrete key as a claim. Obviously this sucks. Perhaps we should make a simpler approach:

We could say, that the the claim key is just urn:squidex:custom and the values are in the following format:

app:outappname,key:foobar,value:123123

or just

outappname,foobar,123123123

because it is easier to parse.

1 Like

What do you think about that?

Oh I think I see, as in the value needs to be true or false for these UI claims so at the moment the name/type should be the full urn:squidex:custom:ourappname:ui:api:hide?

Or is it using periods for the final bit so urn:squidex:custom:ourappname:ui.api.hide? Cannot see anything that changes colons to periods when setting the AppDto.RoleProperties but perhaps there is some mapping happening before Angular gets a hold of it?

Anyway as you can tell I would be very happy to see a simpler and more streamlined way of setting this as we have users where we hide around 10 schemas (and counting!) along with some of the general site areas.

1 Like

The problem is that that the key is part of the claim name. Therefore we you have to add each claim that you want to support to the config (e.g. your scope). Which obviously does not make that much sense, right?

We could also use another deliminator, e.g. “|”, or we just use json strings.

so either:

urn:squidex:custom=ourappname|foobar|true

or

rn:squidex:custom={ "app": "ourappname", "key": "foobar", "value": true }

I have pushed an update. The syntax is now:

urn:squidex:ui=ourappname,key=value
1 Like

If you can test that today or tomorrow, I can add that to a 7.4 or make some changes if needed. Otherwise I am just going to release new version.

Sorry forgot to update, I am trying to test it out atm but still having issues; getting the feeling I am missing some vital change from the configuration which likely isn’t directly Squidex related so feel free to not answer but I would be incredible grateful if you did! This is very much a learning experience for me so will be doing a fair bit more reading around it.

Claims are being added as follows:

Claim name Claim value
auth_time 1675255036
sub [redacted]
name [redacted]
email [redacted]
role OurCustomRole
urn:squidex:permissions squidex.apps.ourappname.assets
urn:squidex:permissions squidex.apps.ourappname.contents
urn:squidex:permissions squidex.apps.ourappname.contributors
urn:squidex:permissions squidex.apps.ourappname.roles
urn:squidex:permissions squidex.apps.ourappname.rules
urn:squidex:permissions squidex.apps.ourappname.schemas
urn:squidex:permissions squidex.apps.ourappname.workflows
urn:squidex:permissions squidex.apps.ourappname.clients
urn:squidex:permissions squidex.apps.ourappname.languages.read
urn:squidex:permissions squidex.apps.ourappname.usage
urn:squidex:permissions squidex.apps.ourappname.history
urn:squidex:ui ourappname,ui.api.hide=true
urn:squidex:ui ourappname,ui.contents.ourschemaname.hide=true

However it does not seem to be impacting Squidex at all. I have added urn:squidex:ui to our OpenIdDict configuration:

"Claims": [
  "email",
  "name",
  "subject",
  "urn:squidex:permissions",
  "urn:squidex:ui"
],
"Scopes": [
  "openid",
  "profile",
  "email",
  "api"
]

And in the Squidex configuration we just have:

"oidcScopes": [
  "email",
  "api"
]

Are you talking about a new user or an existing user? Because usually the claims are only synced on the first login.

But there was a pull request for that: https://github.com/Squidex/squidex/pull/964

Yes I do have that change enabled, but to avoid doubt I have been testing this by deleting the user from the site and recreating them entirely by logging back in.

1 Like