Introduction
Sometimes an application wants an access token from the CoreOne Authentication Service but the included claims are not enough to satisfy the need for information or authorization.
...
To extend the claims provided in the access token we need to create an API Resource for this specific use case and with the help of Scopes the client can easily request the needed claims in the access token.
Step 1 - Create the API resource
The API resource only has to be created when not already an API resource exists for this use case.
...
Name it accordingly to your use case and select the application of the client which needs the additional claim in the access token.
Step 2 - Map the additional claim type to the API resource
This step can currently only be done directly in the database.
...
| Code Block | ||
|---|---|---|
| ||
INSERT INTO `servicecorelogin_api_resource__claim_type`
(`api_resource_id`,
`claim_type_id`)
VALUES ('{the id of the newly created api resource}',
'{the id of the addtional needed claim type}'); |
Step 3 - Create a scope
A new scope is only needed when no scope for this use case already exists.
...
Create a new Scopes for this use case with the scope type 'resource'.
Step 4 - Link API resource to scope
Navigate to the detail page of the newly created scope.
Open the tap 'API Resource' and add the API resource from Step 1.
Step 5 - Add the scope to the client
Navigate to SSO → Application.
...
Edit the client where you want to add the scope and add the scope from step 3 and click save.
Step 6 - Restart the authentication service
The new configuration will only be applied when the authentication service is restarted.
Step 7 - Test it
To test if the changes were successful request an access token.How-To issue an access token
...