Synchronous

Setting up an extension to add custom claims to tokens in the Quasr Tenant Admin UI.

Extensions used for injecting custom claims in ID and/or access tokens are run synchronous. In this section we describe the event payload and required response format. If your extension runs into an error or times out it will simply be ignored.

Your extension can run up to 5 seconds though the overall process behind the relevant OAuth 2.0 endpoints will also time out after 10 seconds hence you should anticipate you need to return claims faster.

Configuration

Synchronous extensions are configured as part of the respective resource.

Configuration of token extensions in client OAuth 2.0 configuration under Accounts in the Quasr Tenant Admin UI.

Events

OAuth 2.0 Authorize Endpoint

{
    "type": "CUSTOMIZATION",
    "origin": "<client_id>", // client requesting token
    "action": "create-token",
    "account_id": "<account_id>", // subject of the token
    "tenant_id": "<tenant_id>" // tenant ID
    "source": "quasr.tokens/oauth2/authorize",
    "result": "PENDING",
    "detail": {
        "source": "oauth2/authorize",
        "type": "oidc1:id", // ID token
        "claims": [] // list of consented claims
    }
}

OAuth 2.0 Token Endpoint

{
    "type": "CUSTOMIZATION",
    "origin": "<client_id>", // client requesting token
    "action": "create-token",
    "account_id": "<account_id>", // subject of the token
    "tenant_id": "<tenant_id>" // tenant ID
    "source": "quasr.tokens/oauth2/authorize",
    "result": "PENDING",
    "detail": {
        "source": "oauth2/token",
        "type": "oidc1:id", // ID token
        "claims": [] // list of consented claims
    }
}
{
    "type": "CUSTOMIZATION",
    "origin": "<client_id>", // client requesting token
    "action": "create-token",
    "account_id": "<account_id>", // subject of the token
    "tenant_id": "<tenant_id>" // tenant ID
    "source": "quasr.tokens/oauth2/authorize",
    "result": "PENDING",
    "detail": {
        "source": "oauth2/token",
        "type": "oauth2:access", // access token
        "scope": "" // consented scopes separated by spaces
    }
}

Response Format

The response are the custom claims to be injected into the token.

{
    "custom_claim": "<custom_value>",
    ...
}

You can't set the following custom claims:

  • nonce or client_id (if already present)

  • iss, aud, sub, iat, nbf, exp and jti

  • any claim starting with https://api.quasr.io/claims

Trying to set any of these claims will simply be ignored.

Example: Add Custom Claims to Tokens

Example to add a custom claim named magic with value test:

exports.handler = async function() {return { magic: 'test' }}

An example that calls an external API to fetch information for enriching tokens - you can use the fetch standard library, as the example below shows:

exports.handler = async function(event) {
  /*
  if your logic relies on the current account / tenant / client, 
  you can get its values from the event via:
  event.account_id
  event.tenant_id
  event.origin (client ID)
  */
  const response = await fetch('https://swapi.dev/api/people/1')
  const person = await response.json();
  return { "https://my.namespace.com/name": person.name}
}

Code Extensions can be assigned per client. Within client settings (available via API or Tenant Admin > Accounts > Client > Client Settings > OAuth2 Settings), you can set a code extension to be used for both ID token and/or access token.

If you're using the GraphQL API to assign the extension, you would set the extension's UUID via the following path (the "account" being the "client"): account.config.id_token_extension or account.config.access_token_extension

Setting extensions for adding custom claims to ID or access tokens in the Quasr Tenant Admin UI
PreviousExtensionsNextAsynchronous

Last updated