This page describes how to use filters with OIDC managed groups. It assumes that the reader is familiar with the general filter syntax as well as with OpenID Connect.

»OIDC Managed Groups Filtering

Currently, two blocks of data are available for these filters:

  • /token/<claims> contains claims from the JWT returned by the OIDC Identity Provider (IdP). For example, /token/sub is the "sub" claim from the token.

  • /userinfo/<claims> contains claims from the UserInfo endpoint.


As the content of these claims is specific to the given IdP (other than those claims mandated by the OIDC specification), no specific syntax can be conveyed, but some examples are given below using contrived sets of claims.

Given the example claims below:

Example JWT claims:

  "iss": "",
  "sub": "24400320",
  "aud": "s6BhdRkqt3",
  "nonce": "n-0S6_WzA2Mj",
  "exp": 1311281970,
  "iat": 1311280970,
  "auth_time": 1311280969,
  "custom": {
    "department": "infosec"

Example UserInfo claims:

  "roles": ["user", "operator"],
  "sub": "",
  "email": "",
  "name": "Alice of Wonderland"

Following are some examples of using these values in filters: