How to add a custom claim to a token?

How to add a custom claim to a token?

In the Admin Console, go to Security > API. On the Authorization Servers tab, select the name of the Custom Authorization Server (or select default when you use the default Custom Authorization Server) and then click Claims. Okta provides a default subject claim. You can edit that mapping or create your own claims.

Who are the parties involved in an access token request?

There are two parties involved in an access token request: the client, who requests the token, and the resource (the API) that accepts the token when the API is called. The aud claim in a token indicates the resource the token is intended for (its audience ).

Why are access tokens treated as opaque strings?

Clients must treat access tokens as opaque strings because the contents of the token are intended for the resource (the API) only.

Why do resources always own their access tokens?

This is why a resource setting accessTokenAcceptedVersion to 2 means that a client calling the v1.0 endpoint to get a token for that API will receive a v2.0 access token. Resources always own their tokens (those with their aud claim) and are the only applications that can change their token details.

How can I verify the authenticity of an ID token?

To do so securely, after a successful sign-in, send the user’s ID token to your server using HTTPS. Then, on the server, verify the integrity and authenticity of the ID token and retrieve the uid from it. You can use the uid transmitted in this way to securely identify the currently signed-in user on your server.

Can a custom Firebase token be sent to a client?

Firebase tokens comply with the OpenID Connect JWT spec, which means the following claims are reserved and cannot be specified within the additional claims: After you create a custom token, you should send it to your client app.

How to create a token for CMG Configuration Manager?

The client needs to present a valid PKI-issued certificate, an Azure AD token, or a bulk registration token. If you can’t install and register clients on the internal network, create a bulk registration token. Use this token when the client installs on an internet-based device, and registers through the CMG.