Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11445

Request to Customize OAuth2 Access Token Content



    • Customizable Access Token


      This RFE is similar to OPENAM-8440, but not limiting to stateless token.

      The current OAuth2 access_token is not pluggable.
      For example a user makes a request:

      POST /token HTTP/1.1
      Host: server.example.com
      Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
      Content-Type: application/x-www-form-urlencoded

      OpenAM allows the users to return additional data via Scope Validator plugin class (ie. additionalDataToReturnFromTokenEndpoint() method). However, this is one time operation and is not persisted in CTS store.

      It would be nice if there is a away to add custom field to tokens so it will be persisted in CTS store. Or if it's stateless token, it would be nice if OpenAM offers the ability to leverage a JWT format, with an additional scriptable component to control attributes within the JWT similar to the scriptable OIDC id_token.

      Acceptance Criteria

      • We have a new script type of "Access Token modification"
      • On a Provider level I can specify an Access Token modification script
      • The modification script can override existing Access Token attributes (modification = add, modify, delete)
      • Script needs access to same context as the OIDC Claims script
      • Introspect endpoint is able to return modified attributes
      • Works for Stateful and Stateless tokens
      • Script should use CHF client (not Restlet)
      • The Access Token hash in idtokens (when provided) should be correctly calculated.
      • We need a default script as an example of how Access Tokens can be modified.


          Issue Links



              peter.major Peter Major [X] (Inactive)
              sachiko Sachiko Wallace
              17 Vote for this issue
              39 Start watching this issue