How To
ForgeRock Identity Platform
ForgeRock Identity Cloud

How do I override claims in the OIDC ID token in Identity Cloud or AM 7.1.x?

Last updated Jun 6, 2022

The purpose of this article is to provide assistance if you want to override claims (such as aud, acr or iss) in the OpenID Connect (OIDC) ID token issued by ForgeRock Identity Cloud or AM.


Overview

Claims included in an ID token (id_token) can be overridden with one or more values in Identity Cloud and later versions of AM.

You can override claims by indicating which claim(s) you want to override and then updating the OIDC Claims script with the values that should be used for the overridden claim(s).

OIDC Claims script modifications

You can specify claim override values in the OIDC Claims script as a string or array, for example:

  • String:computedClaims.put("iss", "https://example.com")
  • Array:var audClaim = ["https://example.com","https://test.net"]; computedClaims.put("aud", audClaim)

You should add these changes to the computeClaim section of the script.

These example changes would be reflected in the decoded id_token as follows:{  "at_hash": "PtgPFhutEQ4eHK1_nEVmPQ",   "sub": "bddb135d-f6b7-4933-bb9e-525d436d48bb",   "auditTrackingId": "6a8d9c63-3154-4094-8713-63e19368d518-27339",   "subname": "bddb135d-f6b7-4933-bb9e-525d436d48bb",   "iss": "https://example.com",   "tokenName": "id_token",   "sid": "s+g7AVR2lNE6C9t3jx+Tn9VBPO7yVn2xMLHrpH2NAjA=",   "aud": [     "https://example.com",     "https://test.net"     ],   "c_hash": "t8R_lQDDmeQRQe3Pbfn6rg",   "acr": "0",   "org.forgerock.openidconnect.ops": "5-kDQ_4m8XueDlHI0x6mYuKG9To",   "azp": "<client_name>",   "auth_time": 1637582507,   "realm": "/alpha",   "exp": 1637586136,   "tokenType": "JWTToken",   "iat": 1637582536 }

Overriding claims in the OIDC ID token (Identity Cloud)

You can override claims in the OIDC ID token as follows using the Identity Cloud admin UI:

  1. Go to Native Consoles > Access Management > Applications > OAuth 2.0 > Clients and click the name of your OAuth 2.0/OIDC client.
  2. Select the OAuth2 Provider Overrides tab and enter one or more claims you want to override in the Overrideable Id_Token Claims field. For example, enter aud if you want to override the audience claim.
  3. Ensure Enable OAuth2 Provider Overrides is enabled.
  4. Click Save Changes.
  5. Go to Native Consoles > Access Management > Services > OAuth2 Provider > Advanced OpenID Connect and enable Always Return Claims in ID Tokens.
  6. Click Save Changes.
  7. Go to Scripts > Auth Scripts, select the required OIDC Claims Script and update to include the required changes to the claim(s) you are overriding.
  8. Click Save.

Overriding claims in the OIDC ID token (AM)

You can override claims in the OIDC ID token as follows using the AM console:

  1. Go to Realms > [Realm Name] > Services > OAuth2 Provider > OpenID Connect and enter one or more claims you want to override in the Overrideable Id_Token Claims field. For example, enter aud if you want to override the audience claim.
  2. Click Save Changes.
  3. Go to the Advanced OpenID Connect tab and enable Always Return Claims in ID Tokens.
  4. Click Save Changes.
  5. Go to Realms > [Realm Name] > Scripts, select the required OIDC Claims Script and update to include the required changes to the claim(s) you are overriding.
  6. Click Save.

See Also

How do I make session properties from a journey available in the OIDC ID token in Identity Cloud?

How do I add custom claims to the OIDC Claims Script in AM (All versions)?

OpenID Connect

Scripting OpenID Connect 1.0 Claims

Class Claim

Related Issue Tracker IDs

OPENAM-18459 (IdTokenInfo endpoint behaviours change from 6.x and fails when using client_id in POST)


Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.