OpenID Connect introspect, ID token, and user info mapping

The OAuth and Open ID Connect flows in IBM® Security Verify create an authorization grant. This grant contains the attributes and values that are included in the introspection response, and the ID token and user info response.

Typically, these attributes are added to the grant because they match one of the following criteria:
  • Are default attributes like preferred_username.
  • Are computed from the authorization request by using scope and claims.
  • Are based on attribute and request mappings.
Attribute mapping provides an extra benefit where the name of the attribute in the grant can be mapped to something that the relying party can consume.

Procedure

You can choose between ID token and user info mapping, and Introspect mapping. The procedure for both is the same. The attributes that are defined for the former are added to the ID token that is issued and in the userinfo API response. For introspect mapping, attributes that are defined are added to the introspection response.

Note: The attribute values are computed at the request endpoint based on the grant type. For example, in an authorization code flow, these values are derived at the /authorize request.
  1. Under Endpoint Configuration, click the Edit icon for Introspect or ID token and user info.
  2. For ID token and user info, select the Send all known user attributes in the ID token checkbox to include built-in standard attributes and extended attributes in the ID token. Extended atttributes are extra attributes that come from a SAML Enterprise identity provider.
  3. Click Add attribute.
  4. Choose the Verify attribute from the menu. Rather than choosing a specific attribute, you can write a custom rule to compute the attribute value by choosing "Custom rule" in the Verify attribute menu. For more information about attributes, see Managing attributes.
  5. Optionally, choose a simple transformation.
  6. Specify the name of the target attribute that the relying party requires to be sent. For example, Verify uses given_name for the user's given name. If the relying party requires this attribute to be included in the ID token as firstName, then use firstName as the name of the target attribute. The following attributes cannot be overwritten aud, exp, groupIds, groupUids, at_hash, c_hash, rt_hash, s_hash, iat, iss, nonce, sub, client_id, grant_id, grant_type, and scope.
    Note: The sub attribute can only be used for the ID token and user info attribute maps and the mapping applies to introspection, JWT access token, ID token, and user info.
  7. Select the Update on refresh checkbox to update this attribute during a refresh token flow.
    Note: This update does not have login session attributes and relies on the custom attribute rules or user attribute values that are in Cloud Directory.
  8. After all attribute mappings are added, click OK. Note these changes are not saved.
  9. Click Save on the application to save the changes.
Edit the ID token and user info section and perform the following steps to configure the userinfo response type:
  1. Select the JWT response for userinfo checkbox. The userinfo response will be in the JSON Web Token (JWT) format.
  2. Select the Signing algorithm from the dropdown list.
  3. Select the Signing certificate from the dropdown list.

    If ES256 signature algorithm is selected, the certificate must be ECDSA with P-256. If ES384 signature algorithm is selected, the certificate must be ECDSA with P-384. If ES512 signature algorithm is selected, the certificate must be ECDSA with P-521.

  4. Select the Encryption algorithm from the dropdown list. Select none if encryption is not required.
  5. Select the Content algorithm from the dropdown list. Select none if encryption is not required.
  6. Select the Encryption key from the dropdown list. Leave it blank or clear the box if encryption is not required.

Custom rules

If you chose Custom rule in the Procedure at step 4, select the edit icon to display the advanced rule interface. See Attribute functions. All domain objects that are described in the syntax document are available.