Claims mapping
OpenID Connect allows client applications (relying parties) to request claims (assertions) about the user by including special OAuth 2.0 scope values in the OpenID authentication request.
For example, a client can use the profile scope value to request access to these user attributes the IdP: name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale and updated_at.
OpenID Connect defines four such scope values that expand to specific sets of claims.
| Scope value | Claims |
|---|---|
| profile | name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, updated_at |
| email, email_verified Claims. | |
| address | address.formatted, address.street_address, address.locality, address.region, address.postal_code, address.country |
| phone | phone_number, phone_number_verified |
This concept can be applied to other (custom) scope values and claims that the identity provider needs to support. To define such a map use the following configuration file:
/WEB-INF/customClaimsMap.properties
For example, to let the custom org_details scope value request the claims roles, supervisor, employee_number add the following line to the file:
org_profile: roles, supervisor, employee_number