Search code examples
wso2wso2-identity-server

Change JWT payload format : WSO2IS

A resource server expects the groups payload key inside the default WSO2 Identity Server JWT payload to be name roles.

Current JWT response:

{
  "at_hash": "SCqDJuV0gnNvb7r_IeI47Q",
  "aud": "yfzRO7vHWHI76bN68a5ZqgczxlQa",
  "c_hash": "gIKRlznsEe17AQ5GQoOfZg",
  "sub": "admin",
  "nbf": 1663741604,
  "azp": "yfzRO7vHWHI76bN68a5ZqgczxlQa",
  "amr": [
    "BasicAuthenticator"
  ],
  "iss": "https://identity.myorg.co.za/oauth2/token",
  "groups": [
    "Internal/admin",
    "Internal/everyone",
    "es:write:parties",
    "Application/My Account",
    "admin"
  ],
  "exp": 1663745204,
  "iat": 1663741604
}

I have tried the following:

  • Adding claim mappings to the SP
  • Using a custom claim dialect
  • Requesting wso2.org/claims/role instead of groups on the claim config on the SP

Nothing seems to change it.

Is it possible to change the payload using configuration, or is a custom JWT generator needed.

Solution

  • I was able to achieve this with the following way.

    1. Removed roles and groups mapping from OIDC dialect.
    2. Added an attribute mapping to the OIDC dialect as roles and mapped it into groups claim.
    3. Updated the OIDC scope with the new attribute (this might not work if there is an attribute with the same name. In that case remove the existing one).
    4. Updated SP configs claims section.
    5. Tried with the password grant type.

    Not sure whether this approach is correct. But it works. NOTE: Tried this with the IS 6.0.0 new console since it is very easier than the previous carbon console.