How-To add a claim to an access token

Owned by Marc Probst, created
Last updated: 23. Jun 2022 by Silvan Grüter
2 min read

Introduction

Sometimes an application wants an access token from the CoreOne Authentication Service but the included claims are not enough to satisfy the need for information or authorization.

But it makes no sense to get de ID Token because it holds too much information or it contains information that should not be shared between clients. (More about Tokens and their difference)

To extend the claims provided in the access token we need to create an API Resource for this specific use case and with the help of Scopes the client can easily request the needed claims in the access token.

Step 1 - Create the API resource

The API resource only has to be created when not already an API resource exists for this use case.

An API resource can hold more than one additional claim.

Navigate to SSO → API resource and create a new API Resource .

Name it accordingly to your use case and select the application of the client which needs the additional claim in the access token.

Step 2 - Map the additional claim type to the API resource

This step can currently only be done directly in the database.

Please add the additional Claim Types to the API resource.

INSERT INTO `servicecorelogin_api_resource__claim_type` (`api_resource_id`, `claim_type_id`) VALUES ('{the id of the newly created api resource}', '{the id of the addtional needed claim type}');

Step 3 - Create a scope

A new scope is only needed when no scope for this use case already exists.

Navigation to SSO → Scopes

Create a new Scopes for this use case with the scope type 'resource'.

Step 4 - Link API resource to scope

Navigate to the detail page of the newly created scope.

Open the tap 'API Resource' and add the API resource from Step 1.

Step 5 - Add the scope to the client

Navigate to SSO → Application.

Select the application and open the tap clients.

Edit the client where you want to add the scope and add the scope from step 3 and click save.

Step 6 - Restart the authentication service

The new configuration will only be applied when the authentication service is restarted.

Step 7 - Test it

To test if the changes were successful request an access token.How-To issue an access token

When you have an access token you can decrypt it withJWT.IO and verify if now all the needed claims are included.

 

© ITSENSE AG. Alle Rechte vorbehalten. ITSENSE und CoreOne sind eingetragene Marken der ITSENSE AG.