How do I override claims in the OIDC ID token in Identity Cloud, AM 7.1.x and 7.2.x?

Overview

Claims included in an ID token (id_token) can be overridden with one or more values in Identity Cloud and later versions of AM.

You can override claims by indicating which claim(s) you want to override and then updating the OIDC Claims script with the values that should be used for the overridden claim(s).

OIDC Claims script modifications

You can specify claim override values in the OIDC Claims script as a string or array, for example:

• String:computedClaims.put("iss", "https://example.com")
• Array:var audClaim = ["https://example.com","https://test.net"]; computedClaims.put("aud", audClaim)

You should add these changes to the computeClaim section of the script.

These example changes would be reflected in the decoded id_token as follows:{  "at_hash": "PtgPFhutEQ4eHK1_nEVmPQ",   "sub": "bddb135d-f6b7-4933-bb9e-525d436d48bb",   "auditTrackingId": "6a8d9c63-3154-4094-8713-63e19368d518-27339",   "subname": "bddb135d-f6b7-4933-bb9e-525d436d48bb",   "iss": "https://example.com",   "tokenName": "id_token",   "sid": "s+g7AVR2lNE6C9t3jx+Tn9VBPO7yVn2xMLHrpH2NAjA=",   "aud": [     "https://example.com",     "https://test.net"     ],   "c_hash": "t8R_lQDDmeQRQe3Pbfn6rg",   "acr": "0",   "org.forgerock.openidconnect.ops": "5-kDQ_4m8XueDlHI0x6mYuKG9To",   "azp": "<client_name>",   "auth_time": 1637582507,   "realm": "/alpha",   "exp": 1637586136,   "tokenType": "JWTToken",   "iat": 1637582536 }

Overriding claims in the OIDC ID token (Identity Cloud)

You can override claims in the OIDC ID token as follows using the Identity Cloud admin UI:

1. Go to Native Consoles > Access Management > Applications > OAuth 2.0 > Clients and click the name of your OAuth 2.0/OIDC client.
2. Select the OAuth2 Provider Overrides tab and enter one or more claims you want to override in the Overrideable Id_Token Claims field. For example, enter aud if you want to override the audience claim.
3. Ensure the Enable OAuth2 Provider Overrides option is selected.
4. Click Save Changes.
5. Go to Native Consoles > Access Management > Services > OAuth2 Provider > Advanced OpenID Connect and enable Always Return Claims in ID Tokens.
6. Click Save Changes.
7. Go to Scripts > Auth Scripts, select the required OIDC Claims Script and update to include the required changes to the claim(s) you are overriding.
8. Click Save.

Overriding claims in the OIDC ID token (AM)

You can override claims in the OIDC ID token as follows using the AM admin UI:

1. Set the claims you want to override:
   • AM 7.2 and later:
     1. Go to Realms > [Realm Name] > Applications > OAuth 2.0 > Clients and click the name of your OAuth 2.0/OIDC client.
     2. Select the OAuth2 Provider Overrides tab and enter one or more claims you want to override in the Overrideable Id_Token Claims field. For example, enter aud if you want to override the audience claim.
     3. Ensure the Enable OAuth2 Provider Overrides option is selected.
     4. Click Save Changes.
   • AM 7.1.x:
     1. Go to Realms > [Realm Name] > Services > OAuth2 Provider > OpenID Connect and enter one or more claims you want to override in the Overrideable Id_Token Claims field. For example, enter aud if you want to override the audience claim.
     2. Click Save Changes.
2. Go to Realms > [Realm Name] > Services > OAuth2 Provider > Advanced OpenID Connect and enable Always Return Claims in ID Tokens.
3. Click Save Changes.
4. Go to Realms > [Realm Name] > Scripts, select the required OIDC Claims Script and update to include the required changes to the claim(s) you are overriding.
5. Click Save.

See Also

How do I make session properties from a journey available in the OIDC ID token in Identity Cloud?

How do I add custom claims to the OIDC Claims Script in AM (All versions)?

OpenID Connect

Customize claims with the OpenID Connect 1.0 claims script

Class Claim

Related Issue Tracker IDs

OPENAM-18459 (IdTokenInfo endpoint behaviours change from 6.x and fails when using client_id in POST)