Oauth JWT Access TOken - GenerateJWTAccessToken

Google Cloud Apigee
1

I want to customise my access token with given format. i’ve attempted with GenerateJWTAccessToken policy unfortunately it is not allowing me to generate token with customized attributes. my requirement is to generate access token with custimized attributes using Oauth. v2 policy, also i need to have the refresh token in the response.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> GenerateJWTAccessToken client_credentials RS256 1800000 xWLk8SI4vhB2izcBaXU+hL8o5ei0stxmbA9vTbLa+D4=

expected output:

header:{
“alg”: “RS512”,
“typ”: “JWT”,
“kid”: “xWLk8SI4vhB2izcBaXU+hL8o5ei0stxmbA9vTbLa+D4=”
}

payload:{
“sub”: “c00f9236-71d5-4f4e-adc4-13897f5ce817”,
“iss”: “https://openid/test”,
“ds:MID”: “57110310002”,
“cognito:username”: “A5F085E09F19D4BDB20224FE9F9CC73A”,
“ds:TID”: “0001”,
“aud”: “5di3iu0nf671u66e4p4rocvv8p”,
“ds:altMid”: “1”,
“event_id”: “b1c23582-36aa-4fa6-905b-0cd1f101b951”,
“token_use”: “id”,
“ds:sourceCode”: “InternetWithoutEAN”,
“client_id”: “”,
“scope”: “A”,
“auth_time”: 1723736924,
“exp”: 1723740524,
“iat”: 1723736924,
“email”: “test@gmail.com
}

Actual Result:

header:{
“typ”: “at+JWT”,
“alg”: “RS256”
}

payload:{
“sub”: “SGdxkTc1vZo5zpNRtZ13yWzWyPmnvyASdnd7iLYpYUvOQUva”,
“iss”: “https://connect-dev.fiservapis.com/oauth2-cc”,
“exp”: 1723738483,
“iat”: 1723736683,
“jti”: “fe61aa4b-c9be-4d63-9710-b612b7c3fedb”,
“client_id”: “SGdxkTc1vZo5zpNRtZ13yWzWyPmnvyASdnd7iLYpYUvOQUva”
}

2 Likes
2

my requirement is to generate access token with custimized attributes using Oauth. v2 policy

You cannot do that. Your requirements as stated cannot be satisfied.

The AdditionalClaims element is not available in the OAuthV2 policy. The documentation defining the elements available to you, is here.

If you want to shape the JWT, you would use the GenerateJWT policy. That supports the AdditionalClaims element.

2 Likes
3

The docs for Using JWT OAuth tokens implies you can:
“The payload consists of claims about the entity. Some claims must be provided in the policy configuration, while others are automatically generated by the Apigee runtime.”

Nevertheless, the JWT does include the noted claims, including scope if that’s in the request and on the associated API Product.

FYI, client_credentials doesn’t generate a refresh token by design.