OIDC Custom Claims - Get claim value from another system using an API call

ajaykumar_suri · December 11, 2023, 5:22pm

For an app integrated with ID cloud using OIDC, we need to add a custom claim in the ID token.

The value for the claim needs to be fetched from another system using a REST API call.

Lets say: “CBD Number”: 123-45

How can we achieve this?

edward.johnson · December 18, 2023, 11:55pm

Thank you for reaching out to our Community site.

For customizing the OIDC claims and retrieving the claim value please refer to the sample scripts page: Sample scripts :: ForgeRock Identity Cloud Docs → oidc-claims-extension.js

Or access the script directly at:
[https://backstage.forgerock.com/docs/idcloud/latest/_attachments/scripts/oidc-claims-extension.js]

You would customer this block:

utils.setClaimResolvers({
        /*
        // An example of a simple claim resolver function that is defined for a claim
        // directly in the configuration object:
        custom-claim-name: function (requestedClaim) {
            // In this case, initially, the claim value comes straight from a user profile attribute value:
            var claimValue = identity.getAttribute('custom-attribute-name').toArray()[0]

            // Optionally, provide additional logic for processing (filtering, formatting, etc.) the claim value.
            // You can use:
            // requestedClaim.getName()
            // requestedClaim.getValues()
            // requestedClaim.getLocale()
            // requestedClaim.isEssential()

            return claimValue
        },
        */
        /**
         * The use of utils.getUserProfileClaimResolver shows how
         * an argument passed to a function that returns a claim resolver
         * becomes available to the resolver function (via its lexical context).
         */
        name: utils.getUserProfileClaimResolver('cn'),
        family_name: utils.getUserProfileClaimResolver('sn'),
        given_name: utils.getUserProfileClaimResolver('givenname'),
        zoneinfo: utils.getUserProfileClaimResolver('preferredtimezone'),
        locale: utils.getUserProfileClaimResolver('preferredlocale'),
        email: utils.getUserProfileClaimResolver('mail'),
        address: utils.getAddressClaimResolver(
            /**
             * The passed in user profile claim resolver function
             * can be used by the address claim resolver function
             * to obtain the claim value to be formatted as per the OIDC specification:
             * @see https://openid.net/specs/openid-connect-core-1_0.html#AddressClaim.
             */
            utils.getUserProfileClaimResolver('postaladdress')
        ),
        phone_number: utils.getUserProfileClaimResolver('telephonenumber')
    });

I hope this helps!

Warm Regards,
Ed

ajaykumar_suri · December 20, 2023, 5:32pm

Thank you, Ed