Getting custom claims in OpenID Connect Access Tokens

This topic contains 16 replies, has 4 voices, and was last updated by  Paul Haggerty 1 month, 3 weeks ago.

  • Author
    Posts
  • #21173
     Paul Haggerty 
    Participant

    Hi,

    I’m trying to get custom claims in OpenID Connect Access Tokens. I have the custom claims in the ID Token but I also need custom claims in the Access Token. Is this possible to do?

    Note: This has to be tokens through OpenID Connect token endpoint not through the REST Api.

    Thanks,
    Paul

    #21187
     grk 
    Participant

    Hi Paul,
    If you modify default claims script OR create custom claim script to return custom claims, you should able to get those custom claims as oauth2 scopes. Scopes cannot be returned in access token as claims returned in IDToten. You need to call /oauth2/userinfo to get scope values.

    Thanks,

    #21191
     Paul Haggerty 
    Participant

    Hi,

    I’m a little confused by your wording. It seems like you are using scopes and claims interchangeably. As far as my understanding goes, claims are attributes that are associated with the scope of access token. Anyway, I’m looking to get the “claims” into the access tokens the same that I’m getting in the ID Tokens.

    I know that the typical use case is that a client sends an access token to the server and the server would then query the userinfo endpoint to retrieve extra information about the user. However, the specifications that I’m trying to implement mandate that the access token already contain custom claims so that the server does not need to remotely lookup extra information. If I want to be compliant with the specification I need to have the access token contain the claims.

    So, my question: Is there any way that I can customize OpenAM (through configuration or code) to add custom claims into OpenId Connect Access tokens?

    By the way, I’m using OpenAM 13.5

    #21194
     handat 
    Participant

    There’s no interface for you to customize the access token unlike the groovy script for the ID token.

    #21195
     grk 
    Participant

    Hi Paul,
    Scopes and Claims are not exactly same but in plain OAuth2 you can use scope to get user attributes(claims) as well. You can pass scope=uid email. When you call /oauth2/userinfo, you will get uid and email in it.
    I think depending on use case/grant flow you can pass READ or WRITE for scope or user attribute. This is what my understanding.

    Since IDToken is a Jason Web Token(JWT), you can attach claims to it. Access Token is just a opaque string.

    Thanks,

    #21201
     Paul Haggerty 
    Participant

    @grk, in OpenAM 13.5 access tokens are like ID Tokens in that they are also JWTs. We are using stateless access tokens, which contain much of the same information as the ID Token. This is why I assumed that there would be someway of getting custom claims into the access token just like ID Tokens.

    Below are example access and ID tokens. You can see the custom claims mcptt_id and mcvideo_id in the ID token but not in the access token.

    access token: { “sub”: “sip:mcpttuser1@ims.mnc014.mcc310.3gppnetwork.org”, “auditTrackingId”: “2ef2609f-383a45e2976cbdded7787329”, “iss”: “http://openam.example.com:8080/openam/oauth2”, “tokenName”: “access_token”, “token_type”: “Bearer”, “authGrantId”: “bd65691dce9b4443b5eb34f5460765ab”, “aud”: “mcclient”, “nbf”:1520875919, “scope”[ “3gpp:mc:video_service”, “openid”, “3gpp:mc:ptt_service”, “3gpp:mc:data_service” ], “realm”: “/”, “exp”: 1520879519, “iat”: 1520875919, “expires_in”: 3600000, “jti”: “4c4f7e7c-fb5e-49f0-98d4-9e28a9c6a02e” }

    ID token: { “at_hash”: “iLrCllDeGu4ECA5_KSz08A”, “mcptt_id”: “sip:mcpttuser1@ims.mnc014.mcc310.3gppnetwork.org”, “sub”: “sip:mcpttuser1@ims.mnc014.mcc310.3gppnetwork.org”, “auditTrackingId”: “8bf00a97-59a5-4d7f-94fd-e2d032625c2c1654”, “iss”: “http://openam.example.com:8080/openam/oauth2”, “tokenName”: “id_token”, “mcvideo_id”: “sip:mcpttuser1@ims.mnc014.mcc310.3gppnetwork.org”, “aud”: “mcclient”, “c_hash”: “CnPzUEurqpVuYTAzk1H2YQ”, “org.forgerock.openidconnect.ops”: “e4ee401559134222b6142651e72e9ac5”, “azp”: “mcclient”, “auth_time”: 1520875915, “realm”: “/”, “exp”: 1520879519, “tokenType”: “JWTToken”, “iat”: 1520875919 }

    Paul

    #21202
     Paul Haggerty 
    Participant

    There’s no interface for you to customize the access token unlike the groovy script for the ID token.

    Is there someone on this forum who works for ForgeRock who can verify this for OpenAM 13.5+

    @handat, I’d like to take your word for it but it’s too big of a issue for our project if this is not doable. We’ll have to find another ID management vendor to work with.

    #21229
     grk 
    Participant

    @paulhaggerty, i was thinking that you were using statefull tokens. I am not sure whether you tried it or not and you will consider this option but there is a way you can returns scope values as part of access_token response (not part of JWT token) as shown below if you implement additionalDataToReturnFromTokenEndpoint() by writing custom scope validator

    in below exampl uid and email returned in response along with access token

    {“access_token”:”eyAidHlwIjogIkpXVCIsICJhb…..”,“uid”:”testuser”,”scope”:”uid email”,”token_type”:”Bearer”,”expires_in”:3599,“email”:”testuser@testdoaim.com”}

    If you want to try Option2
    Enable “claims_parameter_supported” on OAuth2 provider service. This will let you append “cliams” query parameter to authorize endpoint with value in json format. This is returning whatever json string we pass for “cliams” parameter in JWT access token. You may need to override gatherRequestedClaims() in custom scope validator to populate claims values from datastore.

    Thanks,

    #21236
     Paul Haggerty 
    Participant

    @grk, Thanks this sounds promising. I will give it a shot and report back.

    #21331
     Paul Haggerty 
    Participant

    @grk, I tried what you suggested by using the CustomScopeValidator to return additional information from the access token endpoint. I was able to return the claims that I wanted. Thanks for the suggestion! However as you suggested in your post the additional data is not part of the JWT access token itself. This still presents a problem for me. Is there any other way possible to modify the contents of the Access Token JWT? At this point, I don’t think it’s possible, but just wanted to see if you or anyone else has some ideas.

    Thanks,
    Paul

    #21347
     handat 
    Participant

    Have a look at this: https://bugster.forgerock.org/jira/browse/OPENAM-11445

    I looked at STS with a custom mapping class to add custom claims to generate a stateless access token. That works fine but I had to add custom headers too :(

    #21355
     Paul Haggerty 
    Participant

    @handat thanks for pointing out the Jira ticket. That is exactly what I need, especially the comment asking for a custom claims script for access tokens.

    You mentioned STS, I’m not sure what you are referring to here? Can you elaborate a bit?

    thanks

    #21362
     grk 
    Participant

    @paulhaggerty did you try the 2nd option i have provided earlier? Posting it again

    If you want to try Option2
    Enable “claims_parameter_supported” on OAuth2 provider service. This will let you append “cliams” query parameter to authorize endpoint with value in json format. This is returning whatever json string we pass for “cliams” parameter in JWT access token. You may need to override gatherRequestedClaims() in custom scope validator to populate claims values from datastore.

    Thanks,

    #21373
     Paul Haggerty 
    Participant

    @grk, I think the claims parameter is only used on the authorization endpoint. Is that right? I need this to work on the token endpoint request.

    #21383
     grk 
    Participant

    @paulhaggerty. Yes, you need to add cliams parameter to authorization endpoint. Here is my earlier post
    “Enable “claims_parameter_supported” on OAuth2 provider service. This will let you append “cliams” query parameter to authorize endpoint with value in json format. This is returning whatever json string we pass for “cliams” parameter in JWT access token. You may need to override gatherRequestedClaims() in custom scope validator to populate claims values from datastore.”

    Thanks,

Viewing 15 posts - 1 through 15 (of 17 total)

You must be logged in to reply to this topic.

©2018 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?