OpenID Connect introspect, ID token, and user info mapping
The OAuth and Open ID Connect flows in IBM® Security Verify create an authorization grant. This grant contains the attributes and values that are included in the introspection response, and the ID token and user info response.
- Are default attributes like
preferred_username
. - Are computed from the authorization request by using
scope
andclaims
. - Are based on attribute and request mappings.
Procedure
You can choose between ID token and user info mapping, and Introspect mapping. The procedure for both is the same. The attributes that are defined for the former are added to the ID token that is issued and in the userinfo API response. For introspect mapping, attributes that are defined are added to the introspection response.
- Under Endpoint Configuration, click the Edit icon for Introspect or ID token and user info.
- For ID token and user info, select the Send all known user attributes in the ID token checkbox to include built-in standard attributes and extended attributes in the ID token. Extended atttributes are extra attributes that come from a SAML Enterprise identity provider.
- Click Add attribute.
- Choose the Verify attribute from the menu. Rather than choosing a specific attribute, you can write a custom rule to compute the attribute value by choosing "Custom rule" in the Verify attribute menu. For more information about attributes, see Managing attributes.
- Optionally, choose a simple transformation.
- Specify the name of the target attribute that the relying party requires to be sent. For
example, Verify uses
given_name
for the user's given name. If the relying party requires this attribute to be included in the ID token asfirstName
, then usefirstName
as the name of the target attribute. The following attributes cannot be overwritten aud, exp, groupIds, groupUids, at_hash, c_hash, rt_hash, s_hash, iat, iss, nonce, sub, client_id, grant_id, grant_type, and scope.Note: The sub attribute can only be used for the ID token and user info attribute maps and the mapping applies to introspection, JWT access token, ID token, and user info. - Select the Update on refresh checkbox to update this
attribute during a refresh token flow. Note: This update does not have login session attributes and relies on the custom attribute rules or user attribute values that are in Cloud Directory.
- After all attribute mappings are added, click OK. Note these changes are not saved.
- Click Save on the application to save the changes.
userinfo
response type:- Select the JWT response for userinfo checkbox. The userinfo response will be in the JSON Web Token (JWT) format.
- Select the Signing algorithm from the dropdown list.
- Select the Signing certificate from the dropdown list.
If ES256 signature algorithm is selected, the certificate must be ECDSA with P-256. If ES384 signature algorithm is selected, the certificate must be ECDSA with P-384. If ES512 signature algorithm is selected, the certificate must be ECDSA with P-521.
- Select the Encryption algorithm from the dropdown list. Select none if encryption is not required.
- Select the Content algorithm from the dropdown list. Select none if encryption is not required.
- Select the Encryption key from the dropdown list. Leave it blank or clear the box if encryption is not required.
Custom rules
If you chose Custom rule in the Procedure at step 4, select the edit icon to display the advanced rule interface. See Attribute functions. All domain objects that are described in the syntax document are available.