Is it possible to add custom claims into an access token at the moment of requesting that?
I mean, by default authorization server adds its claims, but in mu case, I'd like request an access token requesting for additional custom claims.
Is it possible?
I'm trying that using nimbusds library:
Here my code:
/**
* Obtains an OAuth2 access token using the client credentials grant.
*
* @param clientId the client ID to authenticate with the token endpoint
* @param clientSecret the client secret to authenticate with the token endpoint
* @return the access token value as a string
*/
public String getToken(String clientId, String clientSecret) throws URISyntaxException, ParseException, IOException {
// Construct the client credentials grant
AuthorizationGrant clientGrant = new ClientCredentialsGrant();
// The credentials to authenticate the client at the token endpoint
ClientID clientID = new ClientID(clientId);
Secret clientSECRET= new Secret(clientSecret);
ClientAuthentication clientAuth = new ClientSecretBasic(clientID, clientSECRET);
// The request scope for the token (may be optional)
// Scope scope = new Scope("core");
// The token endpoint
URI tokenEndpoint = new URI("http://localhost:5444/oauth2/token");
// URI tokenEndpoint = new URI("http://localhost:8081/realms/master/protocol/openid-connect/token");
// Make the token request
TokenRequest request = new TokenRequest(tokenEndpoint, clientAuth, clientGrant, null, null, Map.of("custom", List.of("custom")));
TokenResponse response = TokenResponse.parse(request.toHTTPRequest().send());
if (! response.indicatesSuccess()) {
// We got an error response...
TokenErrorResponse errorResponse = response.toErrorResponse();
log.info("errorResponse: {}", errorResponse.toString());
}
AccessTokenResponse successResponse = response.toSuccessResponse();
// Get the access token
AccessToken accessToken = successResponse.getTokens().getAccessToken();
log.info("accessToken: {}", accessToken.toJSONString());
return accessToken.getValue();
}
As you can see, I'm trying to add custom values at this code line:
TokenRequest request = new TokenRequest(tokenEndpoint, clientAuth, clientGrant, null, null, Map.of("custom", List.of("custom")));
But token received doesn't have custom claims requested.
Any ideas?
OAuth standards do not allow you to request custom claims directly in grant messages, since doing so could have major security implications.
Custom claims issuing must instead be preconfigured in the authorization server, along with a way to retrieve the runtime values of claims. Thus is done in an administrator approved manner. One of the following methods is then used at the time of token issuance, where the first may provide best control over issuing of domain specific claims.
An API request would pass in identity attributes, eg subject, email, and receive back domain specific attributes, eg roles, subscription_level. Returned values are then issued to tokens.
The next step should be to look for such capabilities in your authorization server docs. Not all of them support this behaviour.