Add custom claims to JWT ACCESS TOKEN using OIDC & WSO2 IS

Question

I am interested in adding a custom claim to my JWT access token (not my id token) issued by my WSO2 identity server. I am following the OpenID connect implicit flow with WSO2.

I attempted to add a custom claim by going to my WSO2 IS console and navigating to Claims -> Add -> Add Local Claim. Then I mapped the claim to an attribute in a connected OpenLDAP instance.

The image above is just an example, the actual claim I'm using maps to an attribute in my OpenLDAP instance that is acting as a secondary user store.

Then I tried to add the claim in my service provider under Service Providers -> List -> Claim Configuration

However, I'm not seeing that custom claim in my access token granted by my WSO2 Identity Server.

The call to my WSO2 identity server looks like this:

https://localhost:9443/oauth2/authorize?client_id=MY_CLIENT_ID&redirect_uri=MY_REDIRECT_URI&scope=openid&response_type=token&response_mode=query&nonce=MY_NONCE

After entering in the proper credentials, I do not see my custom claim in the token.

Example token payload:

{
  "sub": "SUB_REMOVED",
  "aud": "AUD_REMOVED",
  "nbf": 1544053330,
  "azp": "AZP_REMOVED",
  "scope": "openid",
  "iss": "https://localhost:9443/oauth2/token",
  "groups": [
    "TEST LDAP 3/admin",
    "Internal/everyone"
  ],
  "exp": 1544056930,
  "iat": 1544053330,
  "jti": "JTI_REMOVED"
}

Am I missing a step? Thank you!

Answer 1

As you are using OIDC, WSO2 IS will send the claims mapped in the http://wso2.org/oidc/claim dialect.

So you need to create a claim in the above dialect, mapped to the newly created local claim.

Then you need to add the newly created claim to the allowed claims list of a scope you are requesting. For this, go to Manage -> OIDC Scopes -> List and click on Add Claims action of openid scope (or any other scope you are using). Now add the newly created openid claim, click Add and then Finish.

Now try the login flow with a new user.