Tuesday, October 18, 2016

Define custom claims for OpenID Connect Response

WSO2 Identity Server followed the OpenID connect core specification[1]. According to the specification[2] OpenID connect have a number of scope such as Openid, profile, email, address, phone etc..
Each scope have define set of claims. As an example, scope profile has set of claims below,
name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at.
You can refer more details of OpenID Connect in WSO2 official documentation[3]. 
If you need to add custom claim into the default scope which is not defined in specification. Then you need to follow the steps below.
  
[1] http://openid.net/specs/openid-connect-core-1_0.html
[2] http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
[3] https://docs.wso2.com/display/IS520/OpenID+Connect
 
Prerequisite:
WSO2 IS 5.2.0
java 1.7.0_80 or above

01. First add your new claim into wso2 claim dialect (http://wso2.org/claims)
Note: we are considering ‘role’ as the new claim throughout this document.

02. Add above claim the OIDC claim dialect (http://wso2.org/oidc/claim)

  • Go Management Console>Main>Identity >Claims
  • Click Add > then click Add new claim
  • Then you saw “Add New Claim” screen
  • Select “http://wso2.org/oidc/claim” dialect in the dropdown
  • Fill the new claim details
  • Click the Add button

03. Add new claim to the registry.

  • Login to the management console go to registry>browse.
  • Expand "_system" and "config".
  • Click on "oidc".
  • Click on "+" sign in "Properties" section. Then it will display the claims set for scopes.
  • Click on "Edit" and add new claims you needs to display in access token user info.
  • Click on "Save


04. After that you can use playground web app to call user-info endpoint. You can see more detail to
setup playground web app here.
https://docs.wso2.com/display/IS510/OAuth+2.0+with+WSO2+Playground

  •  Setting up the playground web app and create a service provider for playground.
  •  You need to configure Oauth/OpenID Connect Configuration section as below.

  •  You can access Playground web app with below URL and see the welcome screen.
http://localhost:8080/playground2/


  •  Go with authorization code grant type to generate authorization code.

  •  Calling to authorize endpoint you need to enter the credential of the user.
  •  After the login you can see the WSO2 IS consent page


  •  Use authorization code to call token end point with client secret.

  •  Use created access token to call user-info endpoint.

  •  Meanwhile you can see the user information as below. User information comes with newly added role claim.

No comments:

Post a Comment