You can configure private
JSON
Web Token (JWT) claims for your organization under the option file's
core
section.
The JWT specification defines registered claims and also allows for public and private claims to be included in the token. The seven optional, registered claims are:
iss
sub
aud
exp
nbf
iat
jti
When you configure private claims for your organization, make sure you avoid name collisions because private claim names are not registered.
Example
When a user signs on with OpenID Connect (OIDC), the Policy Editor
uses the JWT sub
claim in the user profile as the default OIDC user
ID. Changes committed by policy editors are recorded under this user ID. If your
organization wants to record changes under the email address instead, you can define
a different claim, such as email
, for the OIDC user ID.
To define this claim:
- Make a copy of the default options
file.
$ cp config/options.yml my-options.yml
- In the
core
section of the new options file, uncomment the exampleAuthentication.oidcUserIdField
field that uses theemail
claim.core: # Use a JWT claim other than "sub" for the OIDC User ID. # # Authentication.oidcUserIdField: jwt_claim # Authentication.oidcUserIdField: "email"
- Stop the Policy Editor.
$ bin/stop-server
- Run setup using the
--optionsFile
argument and customize all other options as appropriate for your needs.$ bin/setup demo \ --adminUsername admin \ --generateSelfSignedCertificate \ --decisionPointSharedSecret pingauthorize \ --hostname <pap-hostname> \ --port <pap-port> \ --adminPort <admin-port> \ --licenseKeyFile <path-to-license> \ --optionsFile my-options.yml
- Start the Policy Editor.
$ bin/start-server
- To verify that your claim is used, commit a policy change in the Policy Editor at and ensure that your claim appears in the Creator column.