Custom claims under OIDC Enterprise Connection User Mapping not included on id_token

will.bastian · October 19, 2023, 10:17pm

Hey Dan, Thanks! This does indeed solve for the asked question of how to define a custom claim in the OIDC user mapping, and including it on the id_token.

In exploring this further in our specific use cases I’m now met with a following question:
If one of our claim’s contents is an object, is there any means to pull specific fields out of the source object and into our custom claims?

For instance, let’s reference a claim on userinfo named my_object_claim that contains an object with a single element, my_subobject

"my_object_claim": {"my_subobject": "foo"}

–1–
I’m finding that if we apply this mapping at the my_object_claim level, we’re met with the contents of

"my_object_claim": "[object Object]",

in the id_token

This is through providing both the user mapping, and the appropriate action

mapping:

  "attributes": {
    "name": "${context.userinfo.given_name}",
    "my_object_claim": "${context.userinfo.my_object_claim}"
  },

action:

exports.onExecutePostLogin = async (event, api) => {
  if (event.user.my_object_claim) {
    api.idToken.setCustomClaim("my_object_claim", event.user.my_object_claim)
  }
};

–2–
Then, if we attempt to update the user mapping json definition to go the level further into the object contents of my_object_claim, we cannot chain object element lookup past the top level claim.

If we update our user mapping to be:

  "attributes": {
    "name": "${context.userinfo.given_name}",
    "my_subobject_claim": "${context.userinfo.my_object_claim.my_subobject}"
  },

We’re met with:

expected context.tokenset, context.connection or contect.userinfo property access: "my_subobject_claim" ${context.userinfo.my_object_claim.my_subobjectd} found: Identifier

–3–
Finally, as in 1, above, it appears we’ve already called translated my_object_claim to "[object Object]", perhaps via calling toString on it? This appears to indicate while we have the ability to update the action to introspect further into the object, it’s already a string and there’s nothing to further introspect beyond the string contents of "[object Object]"

So, doing something like

exports.onExecutePostLogin = async (event, api) => {
  if (event.user.my_object_claim) {
    api.idToken.setCustomClaim("my_object_claim", event.user.my_object_claim.my_subobject_claim)
  }
};

Returns null

Topic		Replies	Views
OIDC enterprise connection claim mapping Help	4	5109	September 19, 2019
Map SAML Attribute Statements received from an external IdP and convert them to claims Help	2	4431	August 20, 2019
OpenID Connect conformant mapping of ADFS attributes to (id_token) claims Help active-directory , adfs , id_token , oidc , claims	4	9164	March 2, 2018
OpenID Connect User Mapping: how to map a url-namespaced custom claim Help connections , oidc-enterprise-connection	0	15	October 9, 2024
Mapping Identity Provider Attributes Help user-profile , user-management	1	60	October 1, 2024

Custom claims under OIDC Enterprise Connection User Mapping not included on id_token

Related Topics