Additional claims in jwt

Hi there,
could you pls suggest , how can I add additional claims in the jwt such as firstname, email,lastname? Below is the out of the box cliams from the decoded jwt

“at_hash”: “xZUUjL65bFHutNiOgzWhuQ”,
“sub”: “john”,
“auditTrackingId”: “d693b908-0777-41ab-a9b3-1f94686b1e52-700”,
“iss”: “”,
“tokenName”: “id_token”,
“aud”: “bankclientid”,
“c_hash”: “Y8FA_DnPyKw15_JGqcoM-w”,
“acr”: “0”,
“org.forgerock.openidconnect.ops”: “pRBt4fvHLsj40mSGBXQf85jIR_E”,
“azp”: “bankclientid”,
“auth_time”: 1676639903,
“realm”: “/testAdv”,
“exp”: 1676643545,
“tokenType”: “JWTToken”,
“iat”: 1676639945

Hi @shaye
If I understand what you want to do, I think you’ll find it useful to read this page => User info claims plugin :: AM 7.2.0

Hi Stephane,thanks for the response. Let me rephrase, apparently what i was asking was that when we issue id_token during accesstoken call wanted to include additional attributes/claims in the issued jwt token such as firstname, email,lastname.


Hi @shaye,
If you need to add something in your AT, then I’m not sure it’s called Claims and it’s not a standard thing. However with ForgeRock you can extend your AT content with scripting. Please have a look here: ForgeRock Access Management 7.1.3 > OAuth 2.0 Guide > Modifying the Content of Access Tokens
I hope it’ll help you

1 Like

The claims are mapped to scopes. so email for example requires the client to have the corresponding scopes assigned.

the default openid, profile and email scopes should cover claims such as names and email.

this documents allowing profile claims to be sent as part of the id token.