I would like to add custom claim to the access token using Authorization Code Grant Flow.
The custom claim info is available only during the initial call to get the authorization code. This info is NOT available during the /access_token invocation.
Currently am storing authCode|customClaim in Redis during the /authorize call , and then getting this custom claim back from the Access Token Modification Script on /access_token
Just wondering if there is a better way to do this in AM, say by somehow storing custom info along with the authorization code and just using it directly in the Access Token Modification Script ?
You can store this in the session object in the auth flow, and then access the session properties in the custom token script, and then add the claim to the idToken there.
Thanks for the reply. Unfortunately I donât have access to session on the second API invocation. Its a stateless REST API call just passing the authCode - no user involved, hence adding in Redis for now.
I was looking more at if we can store the custom value along with the authCode in the same table, DS etcâŚ
Later when we exchange auth code for the access token, this sticks into the Access Token.
However, per the docs - seems that this was designed for Id Token. Also, the configs in the OAuth2Provider is under the OIDC section.
I am still evaluating and testing this for any side-effects, but wanted to check if anyone else has tried this approach or are there any drawbacks that we need to be aware off.