Access OAuth2 client config in OIDC claim script

I am playing with the AM module and would like to add a new claim to the id token. This new claim needs to be encrypted with secret configured against the OAuth2Client. Is clientProperties[‘customProperties’] in the custom OIDC claim script the only way around this?

imho the entire ID Token should be encrypted, instead of a single attribute within.
Custom properties are not designed to carry secrets.
https://backstage.forgerock.com/docs/am/7.2/oidc1-guide/encrypting-oidc-idtokens.html

Thanks for the reply. The reason we need custom claim is since pairwise sub claim does not work well with CIBA flow.
Ex: Generate id token with pairwise sub claim, and if that token is used as id_token_hint for the /bc-authorize , it does not work. Reckon I have created a seperate thread for that.

Hi joshfr,
Sorry it is taking time between posts. I think that you are right the pairwise attribute will pass the opaque sub value back which is obviously not desirable.
If your ID token must have a pairwise identifier, you will need to engineer a claim within so as to retrieve the username, but there is no standard way of doing this.
Since the pairwise sub value is consistent, you might be able to build a mapping between username, and pairwise identifier which you can look up.
Alternatively you might encrypt ID tokens, and request JWT so as to protect the username in transit, but the sub will be a clear text value.

1 Like

Thanks for the reply Gery. All good, we will add an additional encrypted claim and use it to lookup the username.

2 Likes

thanks my issue has been fixed.