TransWikia.com

Add custom claims to OpenID Connect id token - Web Server Authentication flow

Salesforce Asked by andres.bravo on January 10, 2021

We are using Keycloak to generate OpenID Connect id tokens, now they want to use Salesforce Identity to do that. We have some custom claims in the id token returned by Keycloak that we are not able to include with Salesforce. We tried oAuth flows such as Web Server or User-Agent but we can’t modify the access token returned in these flows.

The custom claim is something like this, an object with an array inside.

"realm_access":
{
   "roles": ["ROLE_1", "ROLE_2", "ROLE_3", "ROLE_4", "ROLE_5"]
}

Documentation states that we can include custom attributes in the ID token from the User, Profile and Role by selecting Configure ID Token and then ticking Include Custom Attributes on the Connected App. This does not meet our needs.

3 Answers

I found a way to include custom attributes in the JWT token from the Connected App programatically. Connected App plugin: https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_class_Auth_ConnectedAppPlugin.htm

I have created a class extending the above one and using the following method:

global override Map<String,String> customAttributes(Id userId, Id connectedAppId, Map<String,String>
        formulaDefinedAttributes, Auth.InvocationContext context) 

Answered by andres.bravo on January 10, 2021

Your understanding is correct. Out of the box, you can receive an OpenID Connect id token if you request openid scope but you have limited control over non-standard claims in this token. If you need your own claims in your own format, you'll need to perform a token exchange as a 2-step process:

  1. Your oAuth client acquires an access token from SF using one of the supported oAuth flows
  2. Use the access token in another call to SF to exchange for your own token. The 2nd call will be to your own, custom REST API that will produce your own, custom JWT. See Using JWT when calling out from Salesforce to third party API for an example of how to generate the token.

Answered by identigral on January 10, 2021

You may be able to set custom claims via the JWT Class if you are creating your own Authentication Provider in Salesforce.

Answered by Bryan Anderson on January 10, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP