How to specify UI claims in OIDC setup?

Hello, I am finally getting around to trying out the OIDC UI claims functionality you added:

However I then realised I had no idea how to specify the target schema or site area to hide! Is that UI object containing all these settings visible from dev tools anywhere? Most information I could see was in local storage.

If I look at the elements on the Roles page I can see the values are like the following examples:
ui.schemas.hide

schema_change-control

So are those the values of the claims I should be providing to hide things?

I also according to SquidexClaimsExtensions.GetUIProperties need to provide the following claim type when providing those claim values:
urn:squidex:custom:(my App name)

So in summary I should be adding claims when logging in using code like:
identity.AddClaim("urn:squidex:custom:(my App name)", "ui.schemas.hide", Destinations.IdentityToken);

These are the properties that the UI uses:

Ah! Perfect, thanks!

Hello, sorry still struggling with this!

We have tried various different syntaxes but nothing is working so I feel like we are
missing something.

The Claim name we are using (ensuring it is a match for UI properties pattern defined in SquidexClaimsExtensions.GetUIProperties is:
urn:squidex:custom:ourappname

And our OpenIdDict configuration is specifying that as a Claim type we want to persist (originally did not have this so is not working with or without this change, am unsure about it):

"Claims": [
    "email",
    "name",
    "subject",
    "urn:squidex:permissions",
    "urn:squidex:custom:ourappname"
]

We then have tried the following Claim values and none are taking effect (we are deleting the user and clearing cookies before logging in again):

squidex.apps.ourappname.ui.api.hide
squidex.apps.ourappname.ui.contents.ourschemaname.hide
ui.api.hide
ui.contents.ourschemaname.hide

Does anything look obviously wrong here or is there perhaps another bit of configuration for new claim type we might be missing? Apologies if there is documentation covering this, I couldn’t find any so am just basing it on what colleagues previously did for adding the urn:squidex:permissions claim type.

I think you have to add each concrete key as a claim. Obviously this sucks. Perhaps we should make a simpler approach:

We could say, that the the claim key is just urn:squidex:custom and the values are in the following format:

app:outappname,key:foobar,value:123123

or just

outappname,foobar,123123123

because it is easier to parse.

What do you think about that?

Oh I think I see, as in the value needs to be true or false for these UI claims so at the moment the name/type should be the full urn:squidex:custom:ourappname:ui:api:hide?

Or is it using periods for the final bit so urn:squidex:custom:ourappname:ui.api.hide? Cannot see anything that changes colons to periods when setting the AppDto.RoleProperties but perhaps there is some mapping happening before Angular gets a hold of it?

Anyway as you can tell I would be very happy to see a simpler and more streamlined way of setting this as we have users where we hide around 10 schemas (and counting!) along with some of the general site areas.

The problem is that that the key is part of the claim name. Therefore we you have to add each claim that you want to support to the config (e.g. your scope). Which obviously does not make that much sense, right?

We could also use another deliminator, e.g. “|”, or we just use json strings.

so either:

urn:squidex:custom=ourappname|foobar|true

or

rn:squidex:custom={ "app": "ourappname", "key": "foobar", "value": true }

I have pushed an update. The syntax is now:

urn:squidex:ui=ourappname,key=value

If you can test that today or tomorrow, I can add that to a 7.4 or make some changes if needed. Otherwise I am just going to release new version.

Sorry forgot to update, I am trying to test it out atm but still having issues; getting the feeling I am missing some vital change from the configuration which likely isn’t directly Squidex related so feel free to not answer but I would be incredible grateful if you did! This is very much a learning experience for me so will be doing a fair bit more reading around it.

Claims are being added as follows:

However it does not seem to be impacting Squidex at all. I have added urn:squidex:ui to our OpenIdDict configuration:

"Claims": [
  "email",
  "name",
  "subject",
  "urn:squidex:permissions",
  "urn:squidex:ui"
],
"Scopes": [
  "openid",
  "profile",
  "email",
  "api"
]

And in the Squidex configuration we just have:

"oidcScopes": [
  "email",
  "api"
]

Are you talking about a new user or an existing user? Because usually the claims are only synced on the first login.

But there was a pull request for that: https://github.com/Squidex/squidex/pull/964

Yes I do have that change enabled, but to avoid doubt I have been testing this by deleting the user from the site and recreating them entirely by logging back in.

Have again had a chance to try this out, now on Squidex 7.5, but still not able to get this to work.

We have code that adds these (for clarity have just put in example values from our configuration but we are obviously looping through them usually):

if (ClaimParser.IsPermissionClaim(userPermission))
{
    identity.AddClaim("urn:squidex:permissions", "squidex.apps.corecms.assets", Destinations.IdentityToken);
}
else if (ClaimParser.IsUiClaim(userPermission))
{
    identity.AddClaim("urn:squidex:ui", "ourappname,ui.api.hide=true", Destinations.IdentityToken);
}

The permissions claims are being saved against the user as expected but the UI ones are not doing anything. As you can see from previous screenshots the claims are there, not seeing any logs stating what’s happening with the claims when logging in but I could be missing something?

I will try it out myself…

I think I have found the issue. The problem is that “true” is interpreted as a string because it is not parsed. And the UI needs a boolean. I have fixed that in the code and now it works.

Deployed latest master version and can confirm this is now working for me, thanks very much!