Aggregated and distributed OpenID claims support in Connect2id server 6.11

Posted 2017-07-08

Relaying OpenID claims from other providers

The primary purpose of an OpenID Connect provider is to authenticate users for client applications, the secondary provisioning claims (attributes) about users. Normally these claims are asserted directly by the OpenID provider, from locally stored and managed user data.

An OpenID provider, however, can also relay claims from other providers:

  • As aggregated claims — by passing the external claims in a JWT signed by their provider; the client can check the claims’ origin by validating the JWT signature.

  • As distributed claims — by supplying the client with the endpoint URL of the external claims provider where it can fetch the claims by itself, using a bearer access token.

Example UserInfo endpoint response which includes aggregated claims besides the normal ones; the client can obtain the email and email_verified claims supplied by email-provider from the JWT:

  "sub"            : "alice",
  "name"           : "Alice Adams",
  "_claim_names"   : { "email"          : "email-provider",
                       "email_verified" : "email-provider"  },
  "_claim_sources" : { "email-provider" : { "JWT" : "eyooweeSh7..." } }

Example UserInfo response which includes distributed claims:

  "sub"            : "alice",
  "_claim_names"   : { "credit_score" : "credit-score-provider" },
  "_claim_sources" : { "credit-score-provider" : { 
                           "endpoint"     : "",
                           "access_token" : "sheeFei5Ute5oor0" } }

The client app can then fetch the user’s credit score with an HTTP request like this:

GET /claims HTTP/1.1
Authorization: Bearer sheeFei5Ute5oor0

The claim(s) will be returned in a JSON object, or packaged in a JWT, just like regular UserInfo responses.

Relaying external claims with the Connect2id server

The new 6.11 release of the Connect2id server adds support for relaying external claims. To do that create a connector for each external claims provider, using the existing ClaimsSource SPI.

Check out the following guides to find out how:


To download a ZIP package of Connect2id server 6.11:

(SHA-256: 80a8dc1d2cce3a080228c2ce6b256f9c940da4ea9bf58a3be3d1fb788c8854db)

As WAR package only:

(SHA-256: 2813a32cb7b540284a095b5c0264ed75e7e0c12d34dafbedce842bdd90a76c89)


Get in touch with Connect2id support.

Release notes

6.11 (2017-07-08)


  • Adds support for sourcing external aggregated and distributed OpenID claims, as specified in OpenID Connect Core 1.0, section 5.6.2. External claims can be set via the existing ClaimsSource SPI available in the Connect2id server SDK (com.nimbusds:c2id-server-sdk:3.10.1).


  • No changes


  • No changes


  • None


  • Upgrades to com.nimbusds:oauth2-oidc-sdk:5.30

comments powered by Disqus