IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  OIDC inrospect customization

    Posted Fri July 10, 2020 10:16 AM
    Hello,
    We need to get custom atributes on /introspect endpoint. Something like "employeetype","mail".​
    I can add atributes to /token and /userinfo endpoint, like there: https://community.ibm.com/community/user/security/blogs/javier-arjona-sanchez1/2019/06/04/isam-oidc-custom-scopes-and-custom-claims
    But don`t understand, how do it on /introspect.
    Anyone can help?

    ------------------------------
    Kirill N
    ------------------------------


  • 2.  RE: OIDC inrospect customization

    Posted Mon July 13, 2020 03:29 AM
    Hello Kirill

    it's as simple as add a section in the post token mapping rule for request type introspect...
    for example the following section at the end of the post token map rule

    if(request_type == "introspect") {

    stsuu.addContextAttribute(new Attribute("cippo", "urn:ibm:names:ITFIM:oauth:response:attribute", "lippo"));
    }



    will add the "cippo" attribute with fixed value when doing introspect

    {
    "scope": "openid email",
    "active": true,
    "token_type": "bearer",
    "exp": 1594628440,
    "cippo": "lippo",
    "iat": 1594624930,
    "client_id": "client-9060",
    "username": "pippo"
    }

    of course you need to have the same logic as above article to retrieve the proper attributes/values

    ------------------------------
    Gianluca Gargaro
    IBM
    Roma
    ------------------------------

    Original Message