Custom claim in access token

[6:03 pm] Subhasish Bhabani
Is there any useful technique for adding a claim to access token? A user must be dynamically created in the resource server from the claim ‘sub’, which is really the client-id, when a system is authorized. The user remains present while the application is connected and is automatically deleted when it is disconnected from the resource server. It would be beneficial if we could add an application-specific label to the client-id and include a custom claim in the JWT token. In our situation, the application is only permitted to have one scope allowed for the audience. The scope’s naming convention is similar to ‘org-name.business-domain.system-name:operation’. One example is org.cust.sales:publish. We want to create a claim that reads “https://app-alias” as ‘sales-’ that is extracting the word ‘sales’ from the scope name. I tried using action for machine-to-machine flow, but I do not see an object to extract scopes. How can I write action flow valid for a group of applications?

//Subhasish

Hello @subhasish-om welcome to the community!

Please see the following FAQ regarding adding custom claims to tokens:

Hope this helps!

Is there any way of having api ‘audience’ specific action flow? With this approach every token irrespective of ‘audience’ will be having the custom claim, which might be not relevant not for all APIs.

1 Like

Good question @subhasish-om - Perhaps you can use some logic to make a decision from within the Action based on data available in Event Object?