Configuring claims for ID tokens and access tokens

Authorization Control Plane (ACP) allows you to set up claims to be passed with tokens issued by your authorization server. You can define claims to be added either using IDP-mapped authentication context or OAuth client application attributes (including application metadata).

About claims

On an abstract level, claims are statements that a subject (such as a user) makes about itself or another subject. In practical terms, these claims are attributes representing certain data about the user, packaged in a token (either ID token or access token) issued to the client application. You can control how these claims are issued and group them in scopes.

Prerequisites

Add a claim

In the video below, we are adding a claim based on authentication context data. This claim represents the user’s country of origin, as provided by the IDP in use (hence the AuthN Context source type). In the source path, we select Country, which comes from the IDP-authentication context attribute mapping. Finally, this claim is grouped within the broader address scope.

  1. From the workspace sidebar, select Settings > Claims.

    Result

    Predefined claims are displayed.

  2. Select a list label (ID Tokens or Access Tokens) to toggle the display of claims on the list.

  3. To preview claim details, select a claim from the list.

    Result

    The Edit claim dialog box opens and displays claim details: Claim name, Source type, Source path and Scopes.

    Note

    In the Edit claim dialog box, you can also edit claim details. Source values are defined in the authentication context.

  4. To create a new claim:

    1. Select ADD CLAIM from the list header.

      Result

      The Add claim dialog box gets displayed.

    2. In the Add claim dialog box, set the claim details: Claim name, Source type, Source path, and Scopes.

      Parameter Description
      Claim name Claim name in ACP.
      Source type How the source value for the claim is retrieved. Authentication context is a set of attributes mapped from data sent by IDP acting on behalf of the user, whereas Client means an application registered in ACP.
      Source path Specific attribute available in the source.
      Output source path Exact attribute name representing this claim in the token.
      Scopes Token with this claim is only issued as part of a scope defined in this field. If this field is empty, this claim is always issued with the token - you could say it’s global.
    3. Select Add to save your new claim. Your claim is now added to the list.

Edit a claim

  1. Select an existing claim from the list of claims in the Claims view.

  2. In the Edit claim pop-up window, modify the claim data. Save the changes of the claim by selecting Update.

Remove a claim

  1. To remove a claim, select the trash can icon for the claim that you want to delete.

  2. In the Delete claim pop-up window, select Yes, delete to confirm the removal of the claim.

    Warning

    This action is permanent and cannot be undone.