Custom claims in JWT Token

By: Rui Engana Account Admin 25 Nov 2020 at 11:36 a.m. CST

10 Responses
Rui Engana gravatar
Hi Gluu Team, Just wondering what is the recommended approach to add some custom claims to JWT tokens. For what we can see, it seems we have two options: either use Dynamic Scopes script or Introspection script. What is the Gluu recommended approach? Is there a scenario where one makes more sense that other? Thank you in advance. Kind regards, Rui
Rhel 8.0
closed

Answers

By Michael Schwartz Account Admin 25 Nov 2020 at 12:06 p.m. CST

Copy
Michael Schwartz gravatar
Which JWT? The id_token, access token or userinfo JWT?

By Rui Engana Account Admin 25 Nov 2020 at 12:08 p.m. CST

Copy
Rui Engana gravatar
Apologies, I should have been more explicit. I am referring to Access Token when used as JWT.

By Michael Schwartz Account Admin 25 Nov 2020 at 12:14 p.m. CST

Copy
Michael Schwartz gravatar
The introspection script is used for the access_token. This script is run even if you are using JWT access tokens. The dyamic_scope script is used for userinfo.

By Rui Engana Account Admin 25 Nov 2020 at 2:39 p.m. CST

Copy
Rui Engana gravatar
Thanks Mike, that's very clear. I know we have a way to configure scopes and claims for Userinfo and it works great, but is there a way to flag which of those claims should also be included in the JWT Access Token? Thanks!

By Kiran Mali staff 26 Nov 2020 at 6:47 a.m. CST

Copy
Kiran Mali gravatar
Hi Rui Engana, I think there is no flag, you need to add introspection_script which add all userclaims in access token. here is the sample which add user role in access token https://raw.githubusercontent.com/GluuFederation/gluu-gateway-setup/version_4.2.0/gg-demo/introspection_script.py Thanks, Kiran Mali

By Rui Engana Account Admin 26 Nov 2020 at 11:54 a.m. CST

Copy
Rui Engana gravatar
Got it. Not sure if make sense to register a enhancement to flag the subset of scope claims that, when Issued as JWT, should also end up in access token.

By Michael Schwartz Account Admin 08 Dec 2020 at 9:11 a.m. CST

Copy
Michael Schwartz gravatar
There is no rule that an access token requires a person. For example, we have the client credentials grant. But a lot of times there is... so perhaps some automated way to add claims to the access token makes sense. We can make an issue in Janssen to track this and see how the contributors feel about it.

By Vadim Saratovtsev user 11 Dec 2020 at 10:53 a.m. CST

Copy
Vadim Saratovtsev gravatar
Enhancement request created under JanssenProject Issues on GitHub. We will continue tracking it and will update everyone on the progress. https://github.com/JanssenProject/jans-auth-server/issues/15

By Michael Schwartz Account Admin 11 Dec 2020 at 1:04 p.m. CST

Copy
Michael Schwartz gravatar
Link?

By Vadim Saratovtsev user 11 Dec 2020 at 3:50 p.m. CST

Copy
Vadim Saratovtsev gravatar
Thank you. https://github.com/JanssenProject/jans-auth-server/issues/15

Post an answer