1

Is it possible to add custom claims into an access token at the moment of requesting that?

I mean, by default authorization server adds its claims, but in mu case, I'd like request an access token requesting for additional custom claims.

Is it possible?

I'm trying that using nimbusds library:

Here my code:

/**
    * Obtains an OAuth2 access token using the client credentials grant.
    *
    * @param clientId the client ID to authenticate with the token endpoint
    * @param clientSecret the client secret to authenticate with the token endpoint
    * @return the access token value as a string
    */
public String getToken(String clientId, String clientSecret) throws URISyntaxException, ParseException, IOException {
    // Construct the client credentials grant
    AuthorizationGrant clientGrant = new ClientCredentialsGrant();

    // The credentials to authenticate the client at the token endpoint
    ClientID clientID = new ClientID(clientId);
    Secret clientSECRET= new Secret(clientSecret);
    ClientAuthentication clientAuth = new ClientSecretBasic(clientID, clientSECRET);

    // The request scope for the token (may be optional)
    // Scope scope = new Scope("core");

    // The token endpoint
    URI tokenEndpoint = new URI("http://localhost:5444/oauth2/token");
    // URI tokenEndpoint = new URI("http://localhost:8081/realms/master/protocol/openid-connect/token");

    // Make the token request
    TokenRequest request = new TokenRequest(tokenEndpoint, clientAuth, clientGrant, null, null, Map.of("custom", List.of("custom")));

    TokenResponse response = TokenResponse.parse(request.toHTTPRequest().send());

    if (! response.indicatesSuccess()) {
        // We got an error response...
        TokenErrorResponse errorResponse = response.toErrorResponse();
        log.info("errorResponse: {}", errorResponse.toString());
    }

    AccessTokenResponse successResponse = response.toSuccessResponse();

    // Get the access token
    AccessToken accessToken = successResponse.getTokens().getAccessToken();
    log.info("accessToken: {}", accessToken.toJSONString());

    return accessToken.getValue();

}

As you can see, I'm trying to add custom values at this code line:

TokenRequest request = new TokenRequest(tokenEndpoint, clientAuth, clientGrant, null, null, Map.of("custom", List.of("custom")));

But token received doesn't have custom claims requested.

Any ideas?

Improve this question

1 Answer 1

Reset to default
1

OAuth standards do not allow you to request custom claims directly in grant messages, since doing so could have major security implications.

Custom claims issuing must instead be preconfigured in the authorization server, along with a way to retrieve the runtime values of claims. Thus is done in an administrator approved manner. One of the following methods is then used at the time of token issuance, where the first may provide best control over issuing of domain specific claims.

  • Call from the authorization server to your API
  • Call from the authorization server to your database

An API request would pass in identity attributes, eg subject, email, and receive back domain specific attributes, eg roles, subscription_level. Returned values are then issued to tokens.

The next step should be to look for such capabilities in your authorization server docs. Not all of them support this behaviour.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.