JR.56041 (-) asked a question.
Hi All,
Just trying to get me head around the On-Behalf-Of/token exchange flow. I have followed the guide at:
I have been able to exchange a token successfully from a Web App PCKE token as per the documentation.
I'm just wondering what additional information should the receiving API be able to determine from the exchanged token?
Should my API be able to get custom claims assigned to that user?
Calls to /userinfo and /introspect are not returning any additional information and Im not sure if this is by design or not.
The exchanged token looks like the following when decoded, I am getting the "sub" property containing the correct user id:
{
"ver": 1,
"jti": "AT.....",
"iss": "https://dev-.....kta.com/oauth2/default",
"aud": "api://default",
"iat": 16904...,
"exp": 1690...,
"cid": "0oaajgu...",
"uid": "00ua9hktm...",
"scp": [
"customapi..."
],
"auth_time": 1690436010,
"sub": "...@mailinator.com"
}
Hello @JR.56041 (-) Thank you for reacting out to our Community!
For custom claims please see this part of the documentation:
https://developer.okta.com/docs/guides/set-up-token-exchange/-/main/#create-custom-scopes
Community members help others by clicking Like or Select as Best on responses. Try it today.
💡 Community Moderator Tip: Join a group today and connect with other Okta customers by region or product.