OAuthV2 Policy - How to add claims in JWT token?

Hello all

I’m trying to implement an endpoint to generate a JWT token for a client-credential flow, in Apigee X.

I used the OAuthV2 policy, with operation set to GenerateJWTAccessToken.

I set it up like this

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 continueOnError="false" enabled="true" name="OA-Generate-JWT-Access-Token">
  <DisplayName>OA-Generate-JWT-Access-Token</DisplayName>
  <Operation>GenerateJWTAccessToken</Operation>
  <Algorithm>HS512</Algorithm>
  <SupportedGrantTypes>
    <GrantType>client_credentials</GrantType>
  </SupportedGrantTypes>
  <ExpiresIn>3000000</ExpiresIn>
  <GenerateResponse enabled="true"/>
  <SecretKey>
    <Value ref="private.mysecretkey"/>
  </SecretKey>
  <Attributes>
    <Attribute name="attr_name1" ref="flow.variable" display="true">value1</Attribute>
    <Attribute name="attr_name2" ref="flow.variable" display="true">value2</Attribute>
  </Attributes>
  <AdditionalClaims>
    <Claim type="string" array="true" name="roles">admin.read,admin.write</Claim>
  </AdditionalClaims>
</OAuthV2>

(the roles array is just a test, I will not add admin role inconditionnaly in prod )

I was expecting to have “attr_name1” or “attr_name2” or “roles” as part of my JWT payload, but, no, non of that.

The API call response is:

{
    "refresh_token_expires_in": 0,
    "api_product_list": "[MyAPIProduct]",
    "api_product_list_json": [
        "MyAPIProduct"
    ],
    "attr_name2": "value2",
    "attr_name1": "value1",
    "organization_name": "myOrgName",
    "developer.email": "me@domain.com",
    "token_type": "Bearer",
    "issued_at": "1661498841112",
    "client_id": "c26Ha4xnw6L85wedEIbZyLdfnifNhF1FStaW1MBOw9aFBbQrHH",
    "access_token": "eyJ0eXAiOiJhdCtKV1QiLCJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJjMjZIYTR4bnc2TDg1d2VkRUliWnlMZGZuaWZOaEYxRlN0YVcxTUJPdzlhRkJiUXJISCIsImlzcyI6Imh0dHBzOi8vbXlBUEkvb2F1dGgyL3YxIiwiZXhwIjoxNjYxNTAxODQxLCJpYXQiOjE2NjE0OTg4NDEsImp0aSI6Ijk1MGM4YjA2LTUwYmQtNGZmYy1iMmYzLWM0YjY2MzljZjJiYyIsImNsaWVudF9pZCI6ImMyNkhhNHhudzZMODV3ZWRFSWJaeUxkZm5pZk5oRjFGU3RhVzFNQk93OWFGQmJRckhIIn0.2S-0XBSar7wjcylPHLQFCIf4jAiFb9rNKLxbpdZia1sxATkXEYYgNzzaOXu-cSa8-yJkDjCyuBIAEckdKdCroA",
    "application_name": "6c0b4d88-96e8-4555-a1f7-be49eff85a54",
    "scope": "",
    "expires_in": 2999,
    "refresh_count": "0",
    "status": "approved"
}

And the payload is then

{
  "sub": "c26Ha4xnw6L85wedEIbZyLdfnifNhF1FStaW1MBOw9aFBbQrHH",
  "iss": "https://myAPI/oauth2/v1",
  "exp": 1661501841,
  "iat": 1661498841,
  "jti": "950c8b06-50bd-4ffc-b2f3-c4b6639cf2bc",
  "client_id": "c26Ha4xnw6L85wedEIbZyLdfnifNhF1FStaW1MBOw9aFBbQrHH"
}

The AdditionalClaims is ignored as it is related to another JWT policy according to the doc, so, I’m fine with that.

The Attributes are correctly added … but in the response, not the JWT access token…

TL;DR
Does anyone know how to add custom claims in the JWT payload (not API response) using the OAuthV2/GenerateJWTAccessToken policy in Apigee X?

Thank you for your help

As far as I know you cannot.

What are you REALLY trying to do? (Why do you need the additional claims? )

The access token generated in JWT format conforms to this specification. This is the reason you cannot add arbitrary claims.

Hello,

Additionnal claims I’d like to add are the one related to OIDC, for instance, useful for my backend to identified the caller (not only “Apigee” which is the technical caller for it).

I can definitely pass this information via other way, like custom headers, but, that means to update code on the backend,.

As Apigee manages a user base of developers, I wanted to use it as an IDP, and then, to carry user information to the backend.

Thanks

Arnaud

Hello

Thanks for your reply.

I never doubt about the fact Apigee follow standards but it does not look unusual to me to add private claims in a JWT payload (as mentionned in the RFC7519).

Arnaduga

it does not look unusual to me to add private claims in a JWT payload

You can of course generate a JWT with arbitrary claims via the GenerateJWT policy.

The JWT generated by the OAuthV2 policy (via Operation = GenerateJWTAccessToken) is specifically intended for use by Apigee. The token generated in this way is not intended for consumption by other audiences. If you want to produce a JWT that will be consumed by some audience other than Apigee; OR if you want to produce a JWT that will be consumed by multiple audiences; AND you want that token to contain arbitrary custom claims, then you can use GenerateJWT to do that. If you need to validate the credentials of the client before doing that, then use VerifyAPIKey or even OAuthV2/GenerateAccessToken to do so. If you use the latter you can simply discard the generated opaque access token.

Ok, crystal clear, thank you!