Introduction
Sometimes a customer application wants an access token from our authentication service but the included claims are not enough to satisfy the need for information or authorization.
But it makes no sense to get de ID Token because it holds too much information or it contains information that should not be shared between clients. (Difference between ID and Access token)
To extend the claims provided in the access token we need to create an API Resource for this specific use case and with the help of Scopes the client can easily request the needed claims in the access token.
Step 1 - Create the API resource
The API resource only has to be created when not already an API resource exists for this use case.
An API resource can hold more than one additional claim.
Navigate to SSO → API resource and create a new API Resource .
Name it accordingly to your use case and select the application of the client which needs the additional claim in the access token.
Step 2 - Map the additional claim type to the API resource
This step can currently only be done directly in the database.
Please add the additional Claim Types to the API resource.
INSERT INTO `servicecorelogin_api_resource__claim_type` (`api_resource_id`, `claim_type_id`) VALUES ('{the id of the newly created api resource}', '{the id of the addtional needed claim type}');
Step 3 - Create a scope
A new scope is only needed when no scope for this use case already exists.
Navigation to SSO → Scopes
Create a new Scopes for this use case with the scope type 'resource'.
Step 4 - Link API resource to scope
Navigate to the detail page of the newly created scope.
Open the tap 'API Resource' and add the API resource from Step 1.
Step 5 - Add the scope to the client
Navigate to SSO → Application.
Select the application and open the tap clients.
Edit the client where you want to add the scope and add the scope from step 3 and click save.
Step 6 - Restart the authentication service
The new configuration will only be applied when the authentication service is restarted.
Step 7 - Test it
To test if the changes were successful request an access token.How-To issue an access token
When you have an access token you can decrypt it withhttps://jwt.io/ and verify if now all the needed claims are included.