I am securing my frontend in Liberty with openidConnectClient, while also generating a JWT to achieve sso with different other downstream systems. For that I'm trying to benefit from the jwtSso feature to easily generate a JWT based on claims from the oidc's IDToken, however none of them get included. I couldn't find any more documentation about this specific combination (oidc+jwtsso).
Here's my server.xml:
<featureManager>
<feature>ssl-1.0</feature>
<feature>openidConnectClient-1.0</feature>
<feature>jwtSso-1.0</feature>
</featureManager>
...
<openidConnectClient clientId="..." clientSecret="..." discoveryEndpointUrl="..." id="IBMid" scope="openid" signatureAlgorithm="RS256"
allowCustomCacheKey="false" />
...
<jwtSso jwtBuilderRef="defaultJWT" />
<jwtBuilder id="defaultJWT" issuer="...">
<claims>email,given_name,family_name,realmName</claims>
</jwtBuilder>
This is an example ID token received from OIDC provider:
{ "at_hash":"",
"aud":"",
"email":"jdoe@blah.com",
"exp":1453872463,
"ext":"{\"tenantId\":\"blah.com\"}",
"family_name":"Doe",
"given_name":"John",
"iat":1453872163,
"iss":"<issuer>",
"name":"John Doe",
"preferred_username":"jdoe@blah.com",
"realmName":"blah.com",
"sub":"120000QGFU",
"uniqueSecurityName":"120000QGFU"
}
And this is the final JWT payload that gets generated by jwtSso:
{
"token_type": "Bearer",
"sub": "120000QGFU",
"upn": "120000QGFU",
"realm": "...",
"iss": "...",
"exp": 1662499020,
"iat": 1662491820
}
As you can see, none of email,given_name,family_name,realmName claims get included. Can anyone help me understand why the listed claims in jwtbuilder are not part of the generated jwt? I appreciate it in advance
