Make OpenID implementation easily usable with other Identity Providers

The current OpenID implementation requires the Identity Provider to set a custom scope SIG/ALL. Custom scopes are not always available in Identity Providers (e.g. Dex does not support this easily). Also scopes are normally used to limit access on a resource server, not for providing roles in a consuming application.

Maybe groups in ID tokens would be a better solution to the problem? Would be nice if mappings between groups and roles can easily be done from configuration settings:

{
  "iss": "http://127.0.0.1:5556/dex",
  "sub": "CgcyMzQyNzQ5EgZnaXRodWI",
  "aud": "example-app",
  "exp": 1492882042,
  "iat": 1492795642,
  "at_hash": "bi96gOXZShvlWYtal9Eqiw",
  "email": "jane.doe@coreos.com",
  "email_verified": true,
  "groups": [
    "admins",
    "developers"
  ],
  "name": "Jane Doe"
}

See: https://github.com/dexidp/dex#id-tokens

Would be nice to also integrate Dex for testing purposes.

Edited Apr 09, 2020 by Bart Jeukendrup