Hi Usman,
You can add additional attributes to the claims of the ID_TOKEN by adding them to the sts context in the pre-token mapping rule. The important thing to know is:
All Attributes with type
urn:ibm:jwt:claim will be added as claims
So, an example of adding upn would look like this:
var myupn = stsuu.getContextAttributes().getAttributeValueByName("upn_cred_attr")
stsuu.addContextAttribute(new com.tivoli.am.fim.trustserver.sts.uuser.Attribute("upn","urn:ibm:jwt:claim",myupn));
This assumes UPN is in a credential attribute named "upn_cred_attr".
Note that credential attributes are only populated into the context when you hit the /authorize endpoint. This is fine for "implicit" flow (where ID_TOKEN is returned from /authorize) but doesn't work directly for "Authorization Code" flow (where ID_TOKEN is returned from /token).
If you're using the "Authorization Code" flow, you'll need to either set up an attribute source (so the attribute can be pulled from LDAP when needed) or store the attribute against the grant in the authorization code part of the flow and then retrieve it again in the token exchange part of the flow.
There's actually code already in the rules to do this work for attributes the client requests. I think you could directly add your attribute to this list at the start of processing and have the existing code handle it for you:
stsuu.setContextAttribute("cred_attr_upn", "urn:ibm:names:ITFIM:oidc:claim:voluntary",null);
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------
Original Message:
Sent: Mon July 06, 2020 01:35 AM
From: UsmanAli Shaik
Subject: Adding attribute into JWT Token - OpenID Connect Protocol Integration
Hi Folks,
Theoretically understood pretoken mapping rule (Which is created after OpenID Connect Definition) can be used to add if any attribute required for the target application. That will be added into ID_TOKEN. Therefore, end application extracts that ID_TOKEN and retrieve the required attribute for its further processing.
Can someone help to add the attribute example 'upn' into ID_TOKEN for openid connect based integration.
I Could see from the logs below 'sub' and etc are getting populated. but i would like to add 'upn' attribute also into ID_TOKEN
[7/5/20 17:03:34:301 AST] 0000297b id=00000000 com.tivoli.am.fim.oauth20.util.OAuth20JwtBuilder > addTokenMap ENTRY
[7/5/20 17:03:34:301 AST] 0000297b id=00000000 com.tivoli.am.fim.oauth20.util.OAuth20JwtBuilder 1 addTokenMap Adding claim sub with value: usashaik.c@stc.com.sa
[7/5/20 17:03:34:301 AST] 0000297b id=00000000 com.tivoli.am.fim.oauth20.util.OAuth20JwtBuilder 1 addTokenMap Adding claim aud with value: aZ34hE7AIrdPm2s2RDPM
[7/5/20 17:03:34:301 AST] 0000297b id=00000000 com.tivoli.am.fim.oauth20.util.OAuth20JwtBuilder 1 addTokenMap Adding claim iat with value: 1593957814
[7/5/20 17:03:34:301 AST] 0000297b id=00000000 com.tivoli.am.fim.oauth20.util.OAuth20JwtBuilder 1 addTokenMap Adding claim exp with value: 1593961414
[7/5/20 17:03:34:301 AST] 0000297b id=00000000 com.tivoli.am.fim.oauth20.util.OAuth20JwtBuilder < addTokenMap RETURN
------------------------------
UsmanAli Shaik
------------------------------