PAS Plugin for OAuth2/Open Id Connect: How to handle user data?

I'm implementing a custom PAS Plugin providing authentication via Open Id Connect / OAuth2.

The result of the communication with the Identity provider (Azure Active Directure/AAD) amongst other things is a set of user data:

  • user id
  • fullname
  • email address

The fullname has to be rendered in the Plone default UI elements - e.g. in personal bar viewlet.
It seems, that the Plone default UI elements are using portal memership tool to provide that kind of user information.

I have two ways in mind to meet the requirement: 1. Standard Plone user object, 2. Member properties storage in plugin object:

  1. Standard Plone user object
    Provide a standard Plone user object correspondending to the user id given bei the identity provider.
    This could be done by adding a standard Plone user durin initial authentication in the PAS plugin.
    The PAS plugin should also ensure that the member data remains current - e.g. the fullname of the user is modified in active directory


  • user/member properties are availible in Plone default UI elements


  • using standard Plone user objects results in a mix of users inside of the Plone user management: users managed in Plone itself and users managed by the AAD
  • there is no requirement to login AAD users via Plone default login using a password, there is no requirement to manage member data of AAD users in Plone itself, so there is no further reason to havethat kind a 'full' representation of AAD user in the application
  1. Store member properties in plugin object
    Provide an OOBTree storage inside of the plugin object. User data are saved there during initial authentication.
    Implementation of IPropertiesPlugin provides user properties.


  • using a plugin storage is more lightweight then providing 'full' Plone user objects


  • i have to expand Plone default UI elements to use user properties stored in the plugin

My questions:

  • is there a way to use user properties stored in the plugin without customizing Plone UI elements?
  • is there a further solution, i'm not aware of?
  • are there some aspects of the 'Pros' and 'Cons' i'm not aware of?

Thank you!

Azure AD has solid SCIM provisioning of users and groups. With proper REST API endpoints for Plone, AAD could synchronize its users and groups into Plone users and groups. Plone user data requires password, but in SCIM endpoint could replace it with random gibberish. Password authentication can also be disabled, so that OIDC works for login into Plone.

We do have initial in-house SCIM implementation for Plone (the instance seems to have 8k SCIM-provisioned user accounts and 4k groups and working fine – only issues are ZMI views for source_users and source_groups not optimized to handle large amount of users or groups), but unfortunately testing with AAD and open sourcing is only planned well after summer due to other work. (The same for our in-house OIDC PAS plugin, unfortunately.)

Thank you for your hint on SCIM , very helpful.