OIDC Scope claim Mapping in IS 5.7.0


In previous wso2 IS versions OIDC scope-claim mapping is maintained in the registry level. From IS 5.7.0 this mapping will be persisted in the db layer.

How OIDC scope-claim mapping works?

In the location of {product_home}/repository/conf/identity the file oidc-scope-config.xml can be found with the default OIDC scope claim mappings. In the very first server startup scopes and claims defined in this file will be stored in the db and the same data will be displayed in the management console UI. In the tenant creation also the data which is defined in the aforementioned file will be stored in the db against the tenant id. After the very server start up and the tenant creation the changes done to the oidc-scope-config.xml wont get affected. So adding, removing and editing oidc scopes should be done through the Management console UI.

OIDC Scope-Claim Mapping UI.

In the management console under 'Manage' collapsing panel it can be seen 'OIDC Scopes' section as below.




Adding new scopes and assigning claims to the scope can be done by clicking on 'Add' button as below.




Listing the scopes can be done clicking on the 'List' button as below.




By editing the scopes adding removing claims from the scope can be done by using 'Add claims' and 'Update' buttons respectively.


Database structure for OIDC scope claim mapping

Two new tables and a new index have been introduced to persist scope claim mapping as below.

CREATE TABLE IF NOT EXISTS IDN_OIDC_SCOPE (
            ID INTEGER NOT NULL AUTO_INCREMENT,
            NAME VARCHAR(255) NOT NULL,
            TENANT_ID INTEGER DEFAULT -1,
            PRIMARY KEY (ID)
);

CREATE TABLE IF NOT EXISTS IDN_OIDC_SCOPE_CLAIM_MAPPING (
            ID INTEGER NOT NULL AUTO_INCREMENT,
            SCOPE_ID INTEGER,
            EXTERNAL_CLAIM_ID INTEGER,
            PRIMARY KEY (ID),
            FOREIGN KEY (SCOPE_ID) REFERENCES IDN_OIDC_SCOPE(ID) ON DELETE CASCADE,
            FOREIGN KEY (EXTERNAL_CLAIM_ID) REFERENCES IDN_CLAIM(ID) ON DELETE CASCADE
);

CREATE INDEX IDX_AT_SI_ECI ON IDN_OIDC_SCOPE_CLAIM_MAPPING(SCOPE_ID, EXTERNAL_CLAIM_ID);



Comments

Popular posts from this blog

Applying CORS Filter to wso2 Identity Server

Secure Wso2 ESB REST APIs using Kerberos

JWKS endpoint of wso2 IS