0

I am using a third-party identity provider (Ping Identity). I have configured the client_id, redirect_uri and discovery_uri in my OpenID connect client library (https://github.com/openid/AppAuth-Android).

I was able to successfully log in and got access_token and refresh_token. I am trying to embed some info in the access_token. But to encode i need the private key.

Question

I was wondering if there is an API that can be called with the help of the library that will encode it for me by calling the identity provider.

Thanks in advance :)

Racer
  • 152
  • 1
  • 9
  • In OpenID Connect, the `access_token` is not the place for additional attributes. The `id_token` is. Submission of the `refresh_token` to the authorization endpoint gets you an `access_token`, whose to the UserInfo endpoint gets you the `id_token` (as long as the AT presented is valid). Can you expand on your use case, and what you're hoping to achieve? – Andrew K. Feb 21 '22 at 17:07
  • @AndrewK. I have successfully logged, and with the access token I have our BE validates it and send me the list of customers and the user will be selecting one from it. Post that selection I am supposed to embed that selected customer id in the access_token and send it back to the BE so that they can verify me as well as give me the data about the specific customer by decoding the access token. – Racer Feb 21 '22 at 18:22
  • That isn't a supported OAuth pattern that I am aware of. An access token is a contract between two entities. You can't adjust the access token after the fact, but you can issue a new one. I would recommend figuring out a mechanism so that PingFed can retrieve the "list of customers" so that the user may choose from it prior to the issuance of the token, as @gary-archer suggested in his answer. The only choice with your current pattern would be to loop back through PF to have it issue a new token based on the "new knowledge". – Andrew K. Feb 22 '22 at 19:52

1 Answers1

1

If custom claims are needed in access tokens, then they are usually included at the time of token issuance. Eg Ping Federate could make a JDBC connection to do this.

If you are using an External IDP with no relationship to your data, then perhaps this is not possible. That is why the recommendation is to avoid using foreign access tokens. Note also that access tokens are only intended for APIs and it is recommended to avoid reading them directly in web or mobile clients.

The usual technique is for the data owner to issue their own tokens after validating the external tokens, and adding any custom data / claims needed. Ideally use an Authorization Server for this, or perhaps your own API that acts as a token service, and which can store the token signing private key securely.

Gary Archer
  • 22,534
  • 2
  • 12
  • 24
  • Thanks Gary Archer and Andrew. For folks looking at the thread please read through the comments as well for more context. I am looking at a lot of options now. Will post my solution in the near future. – Racer Feb 24 '22 at 07:19