Based on the user’s requirement he may need to customize the ID token. Once you decode the default ID token, it looks like as follows. What we are going to do is add new key value pairs to thefollowing using claims.
{
"exp": -677328449,
"azp": "asdbUY31SEQtDpCi7aCsZSj96P0a",
"sub": "admin@carbon.super",
"aud": "asdbUY31SEQtDpCi7aCsZSj96P0a",
"iss": "https:\/\/localhost:9443\/oauth2endpoints\/token",
"iat": -680928449
}
You can find an article in [1] which explains how to retrieve the ID Token and decode it to get the encoded information.
Note: This customization source code is only applicable for WSO2 IS 5.0.0. There are library changes in WSO2 IS 5.1.0.
1. First we have to write a custom handler which implements CustomClaimsCallbackHandler. SAMLAssertionClaimsCallback [2] is used as the default custom handler.
2. I have written a sample [3] which embeds the claims to the ID Token.
public void handleCustomClaims(IDTokenBuilder builder, OAuthTokenReqMessageContext requestMsgCtx) { String userName = requestMsgCtx.getAuthorizedUser(); String tenantDomain = MultitenantUtils.getTenantDomain(userName); userName = MultitenantUtils.getTenantAwareUsername(userName); RealmService realmService = OAuthComponentServiceHolder.getRealmService(); UserStoreManager userStoreManager = null; String emailClaim = "http://wso2.org/claims/emailaddress"; String roleClaim = "http://wso2.org/claims/role"; String role = null; String email = null; try { int tenantId = realmService.getTenantManager().getTenantId(tenantDomain); userStoreManager = realmService.getTenantUserRealm(tenantId).getUserStoreManager(); // Get relevant values for the claim email = userStoreManager.getUserClaimValue(userName, emailClaim, null); role = userStoreManager.getUserClaimValue(userName, roleClaim, null); } catch (UserStoreException e) { log.error(e); } log.info("Email - " + email); log.info("Username - " + userName); log.info("Tenant Domain - " + tenantDomain); log.info("Role - "+role); // Add claims to the ID token builder.setClaim(emailClaim, email); builder.setClaim(roleClaim, role); }
3. Create the jar file of the custom handler by using “mvn clean install” command.
4. Copy the jar file to <WSO2_IS_HOME>/repository/components/lib directory.
5. Modify the <WSO2_IS_HOME>/repository/conf/identity.xml as follows.
Modify the “IDTokenCustomClaimsCallBackHandler” in “OpenIDConnect” with the fully qualified class name of the custom handler.
<IDTokenCustomClaimsCallBackHandler>org.wso2.carbon.identity.openidconnect.SAMLAssertionClaimsCallback</IDTokenCustomClaimsCallBackHandler>
6. Start the WSO2 IS Server.
7. Follow [1] and get the ID Token. Once you decode the ID Token you can get the output as follows.
{
"exp": -576469630,
"azp": "cXBqu0nmkTZnutzfA08AiwcPi20a",
"sub": "admin@carbon.super",
"aud": "cXBqu0nmkTZnutzfA08AiwcPi20a",
"iss": "https:\/\/localhost:9443\/oauth2endpoints\/token",
"http:\/\/wso2.org\/claims\/role": "admin,Internal\/test for testIS,Internal\/default,Internal\/defaultfortest,Internal\/everyone",
"http:\/\/wso2.org\/claims\/emailaddress": "admin@wso2.com",
"iat": -580069630
}
[1] – http://reddragonspace.blogspot.com/2016/04/id-token-in-openid-in-wso2-identity.html
Pubci World 