This article describes on how to configure Authlete to add custom claims to a JWS header of ID tokens.
Specifying custom claims
An authorization server can specify a set of custom claims to be included in a header of ID tokens on making requests to the following Authlete APIs. idtHeaderParams is the request parameter to pass the claims in JSON format.
Authlete creates an ID token including the custom claims in its header and sends it back to the authorization server.
Examples
This section shows example instructions on how to create ID tokens that includes custom claims in authorization code flow.
Preparing custom claims
Let's assume that the following custom claims are to be included in a header of ID tokens.
Key
Value
typ
JWT
extra_key
extra_value
A JSON formatted value to be specified to an idtHeaderParams parameter would be as follows.
{"typ":"JWT","extra_key":"extra_value"}
Processing an authentication request
A client (OIDC relying party) makes an authentication request that includes scope=openid and response_type=code. The request is sent to an authorization server (OIDC identity provider) via a user agent.
The authorizations server then forwards content of the authentication request to Authlete's /auth/authorization API and receives a value of ticket to be used in the next request to Authlete. (details omitted)
The authorization server authenticates an end user and asks consent as needed, and make a request to Authlete's /auth/authorization/issue API. In this request, the server uses the idtHeaderParams parameter to specify the custom claims.
The following is an example using curl. (folded for readability)
On receiving the response above, the authorizations server sends back an authorization code (eOEh...3eSc) to the client via the user agent (Web browser).
Processing a token request
On receiving the authorization code, the client sends a token request including the code to the authorization server. The server forwards content of the token request to Authlete's /auth/token API and receives a token response.
The following is an example using curl. (folded for readability)
Authlete has added the custom claims in a JWS header of the ID token (eyJh...aiZ4) in this response. You can find them by decoding the header part as follows.