Additional claims in jwt

shaye · February 17, 2023, 1:36pm

Hi there,
could you pls suggest , how can I add additional claims in the jwt such as firstname, email,lastname? Below is the out of the box cliams from the decoded jwt

{
“at_hash”: “xZUUjL65bFHutNiOgzWhuQ”,
“sub”: “john”,
“auditTrackingId”: “d693b908-0777-41ab-a9b3-1f94686b1e52-700”,
“iss”: “http://iam12.example.com:8991/am655/oauth2”,
“tokenName”: “id_token”,
“aud”: “bankclientid”,
“c_hash”: “Y8FA_DnPyKw15_JGqcoM-w”,
“acr”: “0”,
“org.forgerock.openidconnect.ops”: “pRBt4fvHLsj40mSGBXQf85jIR_E”,
“azp”: “bankclientid”,
“auth_time”: 1676639903,
“realm”: “/testAdv”,
“exp”: 1676643545,
“tokenType”: “JWTToken”,
“iat”: 1676639945
}
Thanks

stephane.orluc · February 17, 2023, 3:28pm

Hi @shaye
If I understand what you want to do, I think you’ll find it useful to read this page => User info claims plugin :: AM 7.2.0
cheers,
Steph.

shaye · February 18, 2023, 1:45pm

Hi Stephane,thanks for the response. Let me rephrase, apparently what i was asking was that when we issue id_token during accesstoken call wanted to include additional attributes/claims in the issued jwt token such as firstname, email,lastname.

thanks

stephane.orluc · February 19, 2023, 10:17am

Hi @shaye,
If you need to add something in your AT, then I’m not sure it’s called Claims and it’s not a standard thing. However with ForgeRock you can extend your AT content with scripting. Please have a look here: ForgeRock Access Management 7.1.3 > OAuth 2.0 Guide > Modifying the Content of Access Tokens
I hope it’ll help you
Cheers
Steph

rjeghanathan · March 17, 2023, 11:34pm

The claims are mapped to scopes. so email for example requires the client to have the corresponding scopes assigned.

the default openid, profile and email scopes should cover claims such as names and email.

this documents allowing profile claims to be sent as part of the id token.