This RFE is similar to
OPENAM-8440, but not limiting to stateless token.
The current OAuth2 access_token is not pluggable.
For example a user makes a request:
OpenAM allows the users to return additional data via Scope Validator plugin class (ie. additionalDataToReturnFromTokenEndpoint() method). However, this is one time operation and is not persisted in CTS store.
It would be nice if there is a away to add custom field to tokens so it will be persisted in CTS store. Or if it's stateless token, it would be nice if OpenAM offers the ability to leverage a JWT format, with an additional scriptable component to control attributes within the JWT similar to the scriptable OIDC id_token.
- We have a new script type of "Access Token modification"
- On a Provider level I can specify an Access Token modification script
- The modification script can override existing Access Token attributes (modification = add, modify, delete)
- Script needs access to same context as the OIDC Claims script
- Introspect endpoint is able to return modified attributes
- Works for Stateful and Stateless tokens
- Script should use CHF client (not Restlet)
- The Access Token hash in idtokens (when provided) should be correctly calculated.
- We need a default script as an example of how Access Tokens can be modified.