User Groups Details
User Groups provide a mechanism to give authorisation or access privileges to the users accessing your application. It helps developers efficiently manage specific types of users in their application and authorise them upon their login to the application.
Default User Groups
After successfully creating the first Login Configuration in a project, the system will automatically create a default user group called all_users
. Affinidi Login will use this group to add users who successfully log in to your application automatically. Using the all_users
group, you will have the visibility of all the users’ DIDs that have logged in to your application.
Additionally, you cannot delete this default user group, including the users inside the all_users group.
Suppose you have multiple applications and only want the
all_users
group to contain a list of users from a specific application; in that case, you should create a separate project for each application.
Viewing Users in the Default User Group
There are two ways to view the list of users in the default group:
Go to Affinidi Login page, click on the Actions dropdown menu, then click View all users option.
Using Affinidi CLI by running the following command:
affinidi login list-users-in-group --group-name="all_users"
How to Use User Groups
In this scenario, we want to ensure that only specific users have the ability to update records or access a particular resource; for that, we will create a User Group named user_group_update
and assign users to this group. Once a user successfully authenticates through Affinidi Login to your application, the access_token
will have the additional scope (scp) for the user group. Subsequently, your application must evaluate this user group to provide the relevant privileges.
For the purpose of assigning users to distinct User Groups, their Decentralised Identifier (DID) or User ID is required. This identifier is associated with their Affinidi Vault at the time of account registration. The DID value can be found either in the user’s profile in their Affinidi Vault or in the all_users
group of your project after the user successfully logged in to your application.
Getting User DID or User ID
To add the user to the User Group, you have to get their DID or User ID, which is the user’s unique identifier in the application. To obtain this information, you can do the following:
Manually from the Affinidi Vault user profile.
DID information is available within the Affinidi Vault’s Profile page, generated upon successful registration.
Using the default all_users group
Affinidi Login automatically adds the user to the all_users
default group whenever a user successfully logs in to your application. You can view the list of DIDs in the all_users group by going to the Affinidi Login or using CLI by running the command:
affinidi login list-users-in-group --group-name=all_users
Switch to another project if you want to see the list of users for that project.
Programmatically with idToken from Affinidi Login.
When a user login to your application through Affinidi Login flow, the idToken that the Affinidi Login return contains the DID information, which is also the user’s SUB. Based on your business logic, you can parse this value from the idToken and add the user to specific User Groups.
See the example code below on how to extract DID information from idToken:
// parse the idToken sent by Affinidi Login through callback URL
const idToken = JSON.parse(Buffer.from(context.id_token.split('.')[1], 'base64').toString());
// get the DID info of the user through SUB
const userSUB = idToken.sub;
// get the DID info of the user from custom property
const userDID = idToken.custom.find(d => d.did).did;
In the application, when parsing the idToken
sent to the callback URL from Affinidi Login, you can add the code above to extract the SUB
or DID
information of the user. The SUB property represents the DID information of the user. At the same time, the custom property also contains the DID information of the user.
Go to this guide to find out more about idToken sent by Affinidi Login.
How to Create Groups and Add Users
There are two ways to create groups and add users to it. One way is through Affinidi CLI, and the other is through Affinidi Portal.
Expand the section below for your preferred method:
After adding the user to the group and once the user logs in to your application, the JWT access_token
generated following successful authentication through Affinidi Login appears as follows:
{
"aud": [
"862a8a45-5f5e-4fb3-awed-00029e54e0ea"
],
"client_id": "<AUTH.CLIENT_ID>",
"exp": 1694513885,
"ext": {},
"iat": 1694506685,
"iss": "https://<PROJECT_ID>.apse1.login.affinidi.io",
"jti": "d87b1d8c-fa60-4977-b983-ceb5dba86a7f",
"nbf": 1694506685,
"scp": [
"openid",
"offline_access",
"group-regular_user"
],
"sub": "did:key..."
}
Depending on your requirements, you can use this group to provide access to your application accordingly.
Glad to hear it! Please tell us how we can improve more.
Sorry to hear that. Please tell us how we can improve.
Thank you for sharing your feedback so we can improve your experience.