Hey Dan, Thanks! This does indeed solve for the asked question of how to define a custom claim in the OIDC user mapping, and including it on the id_token.
In exploring this further in our specific use cases I’m now met with a following question:
If one of our claim’s contents is an object, is there any means to pull specific fields out of the source object and into our custom claims?
For instance, let’s reference a claim on userinfo
named my_object_claim
that contains an object with a single element, my_subobject
"my_object_claim": {"my_subobject": "foo"}
–1–
I’m finding that if we apply this mapping at the my_object_claim
level, we’re met with the contents of
"my_object_claim": "[object Object]",
in the id_token
This is through providing both the user mapping, and the appropriate action
mapping:
"attributes": {
"name": "${context.userinfo.given_name}",
"my_object_claim": "${context.userinfo.my_object_claim}"
},
action:
exports.onExecutePostLogin = async (event, api) => {
if (event.user.my_object_claim) {
api.idToken.setCustomClaim("my_object_claim", event.user.my_object_claim)
}
};
–2–
Then, if we attempt to update the user mapping json definition to go the level further into the object contents of my_object_claim
, we cannot chain object element lookup past the top level claim.
If we update our user mapping to be:
"attributes": {
"name": "${context.userinfo.given_name}",
"my_subobject_claim": "${context.userinfo.my_object_claim.my_subobject}"
},
We’re met with:
expected context.tokenset, context.connection or contect.userinfo property access: "my_subobject_claim" ${context.userinfo.my_object_claim.my_subobjectd} found: Identifier
–3–
Finally, as in 1, above, it appears we’ve already called translated my_object_claim
to "[object Object]"
, perhaps via calling toString on it? This appears to indicate while we have the ability to update the action to introspect further into the object, it’s already a string and there’s nothing to further introspect beyond the string contents of "[object Object]"
So, doing something like
exports.onExecutePostLogin = async (event, api) => {
if (event.user.my_object_claim) {
api.idToken.setCustomClaim("my_object_claim", event.user.my_object_claim.my_subobject_claim)
}
};
Returns null