How to customize access token generated by client credentials flow #3616

baominwang · 2023-08-24T06:24:27Z

baominwang
Aug 24, 2023

We plan to use backend server to generate access token for specific user. We don't want to use Authorization Code Flow. The preferred flow is "Client credential flow", When I check the doc: https://www.ory.sh/docs/oauth2-oidc/client-credentials, it seems that there are some limitations:

sub field is clientId instead of userId customized.

Is it possible to add cutomized field in access token?

Answered by vinckr

Sep 29, 2023

Hello @baominwang

Yes, it is possible to add customized fields in the access token. This can be done by adding custom claims during the consent acceptance. Here's an example of how to do this:


import { Configuration, OAuth2Api } from "@ory/client"  
  
const ory = new OAuth2Api(  
 new Configuration({  
 basePath: `https://${process.env.ORY_PROJECT_SLUG}.projects.oryapis.com`,  
 accessToken: process.env.ORY_API_KEY,  
 }),  
)  
  
export async function acceptConsent(consentChallenge: string) {  
 const { data } = await ory.getOAuth2ConsentRequest({ consentChallenge })  
  
 return await ory  
 .acceptOAuth2ConsentRequest({  
 consentChallenge: consentChallenge,  
 acceptOAuth2ConsentRe…

View full answer

vinckr · 2023-09-29T08:24:06Z

vinckr
Sep 29, 2023
Maintainer

Hello @baominwang

Yes, it is possible to add customized fields in the access token. This can be done by adding custom claims during the consent acceptance. Here's an example of how to do this:


import { Configuration, OAuth2Api } from "@ory/client"  
  
const ory = new OAuth2Api(  
 new Configuration({  
 basePath: `https://${process.env.ORY_PROJECT_SLUG}.projects.oryapis.com`,  
 accessToken: process.env.ORY_API_KEY,  
 }),  
)  
  
export async function acceptConsent(consentChallenge: string) {  
 const { data } = await ory.getOAuth2ConsentRequest({ consentChallenge })  
  
 return await ory  
 .acceptOAuth2ConsentRequest({  
 consentChallenge: consentChallenge,  
 acceptOAuth2ConsentRequest: {  
 session: {  
 access_token: {  
 some_custom_claim: "some_custom_value",  
 },  
 id_token: {  
 id_custom_claim: "some_value",  
 },  
 },  
 },  
 })  
 .then(({ data }) => data)  
}

In this example, some_custom_claim is added to every access token during consent acceptance. If you want some_custom_claim to be added to the top level (instead of a nested level) in the access token, you need to modify the /oauth2/allowed_top_level_claims configuration:


ory patch oauth2-config {project.id} \  
 --replace "/oauth2/allowed_top_level_claims=[\"some_custom_claim\"]"

This results in an access token with the following structure:


{  
 "sub": "...",  
 // ...  
 "some_custom_claim": "some_custom_value",  
 "ext": {  
 "some_custom_claim": "some_custom_value"  
 }  
 // ...  
}

Please note that required JWT claims can't be overwritten by custom claims. For more information, see the Ory documentation.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How to customize access token generated by client credentials flow #3616

{{title}}

Replies: 1 comment

{{title}}

Select a reply

How to customize access token generated by client credentials flow #3616

baominwang Aug 24, 2023

Replies: 1 comment

vinckr Sep 29, 2023 Maintainer

baominwang
Aug 24, 2023

vinckr
Sep 29, 2023
Maintainer