OKTA Authorization Server ‘namespace’ for custom claims

Question

I have an Authorization Server which is happily returning various ‘out of the box’ and custom claims as necessary which is great.

The back-end (DGraph GraphQL hosted server https://slash.dgraph.io/) requires a ‘namespace’ for the claims I want it to use but all of the claims in my token are at the root of the payload.

My example JWT payload from Okta is:

{
  "sub": "xxxxxxxxxxxxxxxxxxx",
  "ver": 1,
  "iss": "https://abc-1234567.okta.com/oauth2/default",
  "aud": "xxxxxxxxxxxxxxxxxxx",
  "iat": 1609590699,
  "exp": 1609594299,
  "jti": "ID.xxxxxxxxxxxxxxxxxxx",
  "amr": [
    "pwd"
  ],
  "idp": "xxxxxxxxxxxxxxxxxxx",
  "nonce": "nonce",
  "auth_time": 1000,
  "CustomClaim1": "xxxxxxxxxxxxxxxxxxx",
  "CustomClaim2": "xxxxxxxxxxxxxxxxxxx"
}

What DGraph wants is…

{
  "sub": "xxxxxxxxxxxxxxxxxxx",
  "ver": 1,
  "iss": "https://abc-1234567.okta.com/oauth2/default",
  "aud": "xxxxxxxxxxxxxxxxxxx",
  "iat": 1609590699,
  "exp": 1609594299,
  "jti": "ID.xxxxxxxxxxxxxxxxxxx",
  "amr": [
    "pwd"
  ],
  "idp": "xxxxxxxxxxxxxxxxxxx",
  "nonce": "nonce",
  "auth_time": 1000,
  "Namespace": {
     "CustomClaim1": "xxxxxxxxxxxxxxxxxxx",
     "CustomClaim2": "xxxxxxxxxxxxxxxxxxx"
  }
}

I just noticed whilst writing this that the address scope creates an output where there is effectively a namespace with claims which is what I’m after

"address": {
    "street_address": "My House",
    "locality": "My Town",
    "region": "My County",
    "postal_code": "My Postcode"
  }"

How does one achieve that?!?!

Answer 1

You'll need to create your namespace as one claim within the authorization server, then add each of the claims within the namespace inside of that claim's value inside of {} as if you were writing JSON.

Value for copy paste simplicity {"one":"one", "two":"two", "username": appuser.userName}

The expression language will still be evaulated so you can use conditionals and values from the user's profile as you would normally.