Quasr
  • Introduction
    • Welcome to Quasr
    • Concepts
      • Flexible Authentication
      • User-Centric Privacy
      • Modern Development
    • Terminology
    • FAQs
  • Getting Started
    • Sign up with Quasr
    • Setup your tenant
      • Factor Configuration
      • Enrolling additional factors
      • Test with the Sample Client
      • Understanding Scopes & Scores
      • Setting up an API Client (M2M)
    • Connect your app
      • Hosted Login UI
      • Custom Login UI
      • Embedded Login UI
  • Account Administration
    • Introduction
    • Account & Billing
      • Metrics
    • Tenants
    • Usage & Statistics
    • Security
  • Tenant Administration
    • Introduction
    • Dashboard
    • Tenant Settings
    • Your Security
    • Accounts
      • Tenant Admins
    • Factors
      • Factors and Scoring
      • Username (ID)
      • Federation (OAuth2 / OIDC)
        • Apple
        • Facebook
        • GitHub
        • Google
        • LinkedIn
        • Slack
      • Time-based One-time Password (TOTP)
      • One-Time Password (OTP)
      • Password
      • Secret
    • Controls
      • Configuration
      • Permissions
      • Consents
      • Rules
    • Attributes
      • Capturing Claims
      • Sourcing Claims
      • Viewing Claims
      • Searching Claims / Users
      • Sharing Claims
    • Extensions
      • Synchronous
      • Asynchronous
    • Tokens
      • Session Token (OAuth 2.0)
      • Access Token (OAuth 2.0)
      • Refresh Token (OAuth 2.0)
      • ID Token (OIDC 1.0)
      • Consent Token
      • Authorization Code (OAuth 2.0)
    • Hosted Login Page
    • APIs
      • Authentication API
      • Management API (GraphQL)
  • Legal
    • Terms of Service
    • Acceptable Use Policy
    • DPA & Subprocessors
  • More Info
    • Standards
    • Security
      • Vulnerability Disclosure
      • Wall of Recognition
    • Support
    • Status
Powered by GitBook
On this page
  • Configuration
  • Events
  • OAuth 2.0 Authorize Endpoint
  • OAuth 2.0 Token Endpoint
  • Response Format
  • Example: Add Custom Claims to Tokens
  1. Tenant Administration
  2. Extensions

Synchronous

PreviousExtensionsNextAsynchronous

Last updated 1 month ago

Extensions used for injecting custom claims in ID and/or access tokens are run synchronous. In this section we describe the event payload and required response format. If your extension runs into an error or times out it will simply be ignored.

Your extension can run up to 5 seconds though the overall process behind the relevant OAuth 2.0 endpoints will also time out after 10 seconds hence you should anticipate you need to return claims faster.

Configuration

Synchronous extensions are configured as part of the respective resource.

Events

OAuth 2.0 Authorize Endpoint

{
    "type": "CUSTOMIZATION",
    "origin": "<client_id>", // client requesting token
    "action": "create-token",
    "account_id": "<account_id>", // subject of the token
    "tenant_id": "<tenant_id>" // tenant ID
    "source": "quasr.tokens/oauth2/authorize",
    "result": "PENDING",
    "detail": {
        "source": "oauth2/authorize",
        "type": "oidc1:id", // ID token
        "claims": [] // list of consented claims
    }
}

OAuth 2.0 Token Endpoint

{
    "type": "CUSTOMIZATION",
    "origin": "<client_id>", // client requesting token
    "action": "create-token",
    "account_id": "<account_id>", // subject of the token
    "tenant_id": "<tenant_id>" // tenant ID
    "source": "quasr.tokens/oauth2/authorize",
    "result": "PENDING",
    "detail": {
        "source": "oauth2/token",
        "type": "oidc1:id", // ID token
        "claims": [] // list of consented claims
    }
}
{
    "type": "CUSTOMIZATION",
    "origin": "<client_id>", // client requesting token
    "action": "create-token",
    "account_id": "<account_id>", // subject of the token
    "tenant_id": "<tenant_id>" // tenant ID
    "source": "quasr.tokens/oauth2/authorize",
    "result": "PENDING",
    "detail": {
        "source": "oauth2/token",
        "type": "oauth2:access", // access token
        "scope": "" // consented scopes separated by spaces
    }
}

Response Format

The response are the custom claims to be injected into the token.

{
    "custom_claim": "<custom_value>",
    ...
}

You can't set the following custom claims:

  • nonce or client_id (if already present)

  • iss, aud, sub, iat, nbf, exp and jti

  • any claim starting with https://api.quasr.io/claims

Trying to set any of these claims will simply be ignored.

Example: Add Custom Claims to Tokens

Example to add a custom claim named magic with value test:

exports.handler = async function() {return { magic: 'test' }}

An example that calls an external API to fetch information for enriching tokens - you can use the fetch standard library, as the example below shows:

exports.handler = async function(event) {
  /*
  if your logic relies on the current account / tenant / client, 
  you can get its values from the event via:
  event.account_id
  event.tenant_id
  event.origin (client ID)
  */
  const response = await fetch('https://swapi.dev/api/people/1')
  const person = await response.json();
  return { "https://my.namespace.com/name": person.name}
}

Code Extensions can be assigned per client. Within client settings (available via API or Tenant Admin > Accounts > Client > Client Settings > OAuth2 Settings), you can set a code extension to be used for both ID token and/or access token.

If you're using the GraphQL API to assign the extension, you would set the extension's UUID via the following path (the "account" being the "client"): account.config.id_token_extension or account.config.access_token_extension

Setting up an extension to add custom claims to tokens in the Quasr Tenant Admin UI.
Configuration of token extensions in client OAuth 2.0 configuration under Accounts in the Quasr Tenant Admin UI.
Setting extensions for adding custom claims to ID or access tokens in the Quasr Tenant Admin UI