Salesforce Asked by andres.bravo on January 10, 2021
We are using Keycloak to generate OpenID Connect id tokens, now they want to use Salesforce Identity to do that. We have some custom claims in the id token returned by Keycloak that we are not able to include with Salesforce. We tried oAuth flows such as Web Server or User-Agent but we can’t modify the access token returned in these flows.
The custom claim is something like this, an object with an array inside.
"realm_access":
{
"roles": ["ROLE_1", "ROLE_2", "ROLE_3", "ROLE_4", "ROLE_5"]
}
Documentation states that we can include custom attributes in the ID token from the User, Profile and Role by selecting Configure ID Token and then ticking Include Custom Attributes on the Connected App. This does not meet our needs.
I found a way to include custom attributes in the JWT token from the Connected App programatically. Connected App plugin: https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_class_Auth_ConnectedAppPlugin.htm
I have created a class extending the above one and using the following method:
global override Map<String,String> customAttributes(Id userId, Id connectedAppId, Map<String,String>
formulaDefinedAttributes, Auth.InvocationContext context)
Answered by andres.bravo on January 10, 2021
Your understanding is correct. Out of the box, you can receive an OpenID Connect id token if you request openid scope but you have limited control over non-standard claims in this token. If you need your own claims in your own format, you'll need to perform a token exchange as a 2-step process:
Answered by identigral on January 10, 2021
You may be able to set custom claims via the JWT Class if you are creating your own Authentication Provider in Salesforce.
Answered by Bryan Anderson on January 10, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP