New in 1.13.0

Setting up Groups for Fine-Graining Page Visibility

When defining custom visibility categories, administrators can specify groups that are permitted to view specific content. Visibility categories are available with plans that include read permissions.

In the context of visibility, a group represents a collection of users permitted to access specific content, e.g. partner companies or vendors allowed to contribute or update content or data in website areas reserved to them. Before groups can be specified in custom visibility categories, however, they need to be set up in your IdP configuration where they can then be assigned to users. Note that Scrivito uses group names merely as identifiers, i.e. they don’t have any meaning. Also, Scrivito doesn’t take account of implicit group assignments (based on rules). As a consequence, such implicit assignments need to be made explicit. For obvious reasons, it is essential that group names are defined and used consistently.

As a user logs in to a Scrivito-based website, the IdP generates an OAuth ID token that Scrivito uses to identify the user. If groups have been set up, the ID token includes a groups claim indicating to Scrivito the groups that have been assigned to the user. By means of those groups, Scrivito can then determine the visibility categories applicable to the user, and grant or deny them access to a particular page.

The structure of an ID token containing a groups claim looks like this:

{
  "iss": "https://my.idp.com",
  "sub": "...",
  "aud": "...",
  "iat": ...,
  "exp": ...,
  "https://scrivito.com/groups": [
    "Partner Companies",
    "Vendors",
    ...
  ]
}

How to configure groups using Auth0

When you’re using Auth0 for managing the identities of your users, there are several ways to assign groups to them. One way is to use roles to simulate groups, another one is to install the Authorization extension that promises to be suited better than roles but requires more setup. For simplicity reasons, we are showing you here how to define the groups claim using the first method, i.e. by means of Auth0 roles. First, create the desired roles:

Note that group names must not start with an underscore character as Scrivito uses it internally. After setting up the roles, assign users to them or, vice versa, assign these roles to users.

Finally, create a rule (implemented as a JS code snippet) that programmatically adds the groups to the ID token. For that, create a rule based on the “Empty rule” template and enter the below JS code.

function(user, context, callback) {
  let groups = context.authorization.roles;
  context.idToken['https://scrivito.com/groups'] = groups;
  callback(null, user, context);
}

To ascertain whether groups are included in the ID token, first log out from Scrivito (by removing all scrivito.com cookies), then log in to Scrivito again to make the IdP issue a new ID token. Now, try to access a page that is protected by a visibility category that grants access to your groups.