---
title: Changing the default JWT claim for the OIDC user ID
description: Change the sub JSON Web Token (JWT) claim for the OpenID Connect (OIDC) user ID under the options.yml file's core section.
component: pingauthorize
version: 11.0
page_id: pingauthorize:pingauthorize_server_administration_guide:paz_config_jwt_claims
canonical_url: https://docs.pingidentity.com/pingauthorize/11.0/pingauthorize_server_administration_guide/paz_config_jwt_claims.html
revdate: April 15, 2025
section_ids:
  steps: Steps
---

# Changing the default JWT claim for the OIDC user ID

Change the `sub` JSON Web Token (JWT) claim for the OpenID Connect (OIDC) user ID under the `options.yml` file's `core` section.

By default, when a user signs on to the Policy Editor with OIDC, the Policy Editor uses the `sub` JWT claim to:

* Extract the `sub` claim value from the ID token and:

  * Record the `sub` claim value in the **Creator** column of the **Commits** table when the user makes commits (see **Branch Manager > Version Control**).

* Make a request to the [UserInfo](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo) endpoint and:

  * Use the `sub` claim value from the response as the user data.

  * Display the user data in the upper-right corner of the Policy Editor.

If your organization wants to use a non-default claim for the OIDC user ID, such as `email`, define this claim by completing the following steps.

|   |                                                                                                                                                                                                    |
| - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | You must configure your OIDC provider to include the claim in both the `UserInfo` endpoint and the ID token for the name to display. Refer to your OIDC provider's documentation for instructions. |

## Steps

1. Make a copy of the default options file:

   ```shell
   $ cp config/options.yml my-options.yml
   ```

2. In the `core` section of the new options file, uncomment the example `Authentication.oidcUserIdField` field that uses the `email` claim:

   ```
   core:
     # Use a JWT claim other than "sub" for the OIDC User ID.
     #
     # Authentication.oidcUserIdField: jwt_claim
     #
     Authentication.oidcUserIdField: "email"
   ```

   1. (Optional): Update the `email` claim to your organization's preferred claim.

3. Stop the Policy Editor:

   ```shell
   $ bin/stop-server
   ```

4. Run `setup` using the `--optionsFile` argument and customize all other options to meet your needs:

   ```shell
   $ bin/setup demo \
     --adminUsername admin \
     --generateSelfSignedCertificate \
     --decisionPointSharedSecret pingauthorize \
     --hostname <pap-hostname>  \
     --port <pap-port>  \
     --adminPort <admin-port>  \
     --licenseKeyFile <path-to-license>  \
     --optionsFile my-options.yml
   ```

5. Start the Policy Editor:

   ```shell
   $ bin/start-server
   ```

6. In the Policy Editor, go to **Branch Manager > Version Control** and commit a policy change.

7. Verify that your claim is being used:

   1. Select any branch and verify that the new claim value appears in the upper-right corner of the Policy Editor.

   2. Verify that the new claim value appears in the **Creator** column of the **Commits** table for the commit you made in step 6.