[OPENAM-7878] Add functionality to modify the sub at the module level to override the clientID setting Created: 16/Dec/15  Updated: 03/Oct/19  Resolved: 02/Feb/18

Status: Resolved
Project: OpenAM
Component/s: oauth2
Affects Version/s: 12.0.1, 12.0.2, 13.0.0, 13.5.0
Fix Version/s: 6.0.0

Type: Improvement Priority: Major
Reporter: Sam Fraser Assignee: Quentin CASTEL [X] (Inactive)
Resolution: Fixed Votes: 2
Labels: EDISON, Should-Fix, documentation
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relates to OPENAM-12314 WIndowsSSO / Kerberos module does hav... Open
is related to OPENAM-12135 OIDC token generated with datastore m... Resolved
is related to OPENAM-15514 Add functionality to modify the sub a... Open
Target Version/s:
Sprint: AM Sustaining Sprint 47
Story Points: 2
Support Ticket IDs:


Provide a way to change which attribute is mapped to the sub in the id_token.

Usecase is where users are allowed to change their userId(cn) and an internal guid is used to identify a user. Customer would like to be able to configure the sub at the module level and be able to override the general settings at the clientid level.

Comment by Quentin CASTEL [X] (Inactive) [ 02/Feb/18 ]

For the documentation team:

The OIDC claims script is now able to override the "sub" claim, in the ID Token JWT. Examples of usages:

  • Lower/upper case the user id, for consistency reason
  • load a different user attribute for the id token, like the email address
  • compute the "sub" as a combination of attributes
  • inserting a complete different value, like for Open Banking, by inserting the intent id instead
Comment by Quentin CASTEL [X] (Inactive) [ 19/Jun/18 ]

Note that is was possible to override the sub if you enable the option "providerSettings.isAlwaysAddClaimsToToken()".
Therefore, this Jira makes the sub overridable, even if this option is not enabled.

As a reminder, the claims are separated in two categories: the one for the id token and the one for the user info endpoint. (see standard).
The option "providerSettings.isAlwaysAddClaimsToToken()" will therefore put all the userinfo claims into the id token anyway, even if the client didn't ask for it.
As you may not want to do this just to override the sub claim, this Jira will now offer you the possibility to still override it, without pushing all the user info claims into it.

Generated at Fri Sep 25 23:24:22 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.