Skip to main content

Add Custom Attributes to Identity Token

· 4 min read
Vipul Kumar

Introduction

This blog sheds light on the potency of IgniteConnex Identity, primarily focusing on its role assignment functionality. By allocating distinct roles to users, IgniteConnex Identity empowers users with corresponding capabilities. This dynamic system ensures that each user operates within well-defined parameters, aligning their actions with their designated roles. This streamlined approach not only enhances security but also bolsters efficiency, providing users with a purpose-driven experience.

With the acquired token in hand, the next step involves its decoding through jwt.io. This decoding process unveils intricate access controls embedded within the token. This also presents an opportune moment to add our own custom attributes to Identity token .

Types of Custom Attributes

Four distinct custom attributes are available:

  • Realm Role: This attribute pertains to roles operating at the realm level.

  • Client Role: Focused on a specific client, this role allows us to fine-tune access controls for individual client.

  • Group: With this attribute, we can organize users into groups, streamlining permissions management.

  • User Attribute: By evaluating user-specific attributes, we can enable a personalized approach to access management.

Realm Role

Step 1: Creating a New Realm Role


Click on "Add Role" and provide a name and description for the realm role.


Step 2: Mapping Roles to Users

Access the "Role Mappings" tab in the Users section and assign the realm role created in the previous step.


Client Role

Step 1: Creating a New Client Role

Select the desired client, then click on the "Roles" tab. Click "Add Role" and provide a name and description for the client role.



Step 2: Mapping Roles to Users

Access the "Role Mappings" tab in the Users section and assign the client role created earlier.

Groups

Step 1: Creating a New Group

Click on "New" to create a new group. Provide a name for the group.

Step 2: Mapping Roles in Groups

Access the "Role Mappings" tab in the Groups section to directly assign realm roles and client roles to users. This eliminates the need for separate Role mapping addition in the Users section.


Step 3: Join Group

Access the "Groups" tab in the Users section. Click "Join" to become a member of a previously created group.


note

The group will not be inherently evident upon decoding the token. To facilitate its recognition, a mapper must be crafted to encapsulate the group's attributes within it.

Developing a Mapper for Group

Step 1: Select the Client Name in Clients

Step 2: Access Mappers Tab in Clients and Create a Mapper

Specify the Mapper Name, Token Claim Name, and Mapper Type.


info

Token Claim Name is the key name under which the group information should be displayed.

User Attributes

Step 1: Creating User Attributes

Access the "Attributes" tab in Users and provide the key and value for the attribute.


info

As an illustration, the creation of the "api_limit" attribute is delineated below:

Attribute Key: api_limit
Attribute Value: 5

This user attribute, denoted by the key "api_limit" is configured with a value of 5. It can be effortlessly incorporated into token, thereby bestowing a predetermined API access limit of 5 units

Note : Similar to group membership, user attribute details won't be directly visible in the decoded token. To add a user attribute in token , a mapper needs to be created for each user attribute. Repeat the previous steps to create a mapper for user attributes.

Conclusion

By implementing role mappings within IgniteConnex Identity, we've achieved a robust system for managing user roles. These role mappings can be verified within the decoded token, ensuring a well-structured and secure identity management system.