AM 2.8

Titouan Compiègne
Jul 17 · 3 min read

We are pleased to announce that Access Management 2.8 is now available.

What’s new ?

Here are the highlights of this release:

  • Custom claims for tokens
  • OpenID Connect DCR Client templating
  • Usernames and emails case sensitivity

Add custom claims to Tokens

Most of the time to get information about an authenticated user you must rely on the OpenID Connect ID Token or the OpenID Connect UserInfo endpoint to request for user data (known as Claims).

When it comes to secure APIs, OAuth 2.0 Access tokens are used as opaque tokens to access authorized resources without further identification (to prevent personal information leaks if the access tokens is propagated to several services).

However, sometimes it could be interesting to include resource owner attributes directly in access tokens, so that resource servers (i.e APIs or API gateway) can consume them directly for authorization or other purposes without any further round trips to Introspection or UserInfo endpoints.

Include resource owner attributes in JWT access tokens should exercise care and verify that all privacy requirements are met. AM 2.8.0 introduces a new Custom Token Claims feature to add extra information to the OAuth 2.0 Access Token and OpenID ID Token.

Custom Claims for Tokens

You will be able to retrieve user information directly from your access tokens and also add custom information.

You can now discover this new feature via our quick-start.

OpenID Connect DCR Client templating

OpenID Connect Dynamic Client Registration defines how OpenID Connect Relying Party (third-party applications) can dynamically register with the OpenID Provider (i.e Access Management) to obtain information needed to use it (e.g OAuth 2.0 client_id).

Currently only OpenID Connect protocol metadata could be set via the DCR feature and users should go back to the AM administration UI to add specific AM information (e.g custom Email Templates, HTML Templates, Identity Providers …). AM 2.8 offers a new feature called DCR Client Templating that allow you to create client templates which will be used throughout the DCR registration process.

OpenID Connect DCR Client templates

You can now flag AM clients as AM client templates and retrieve them via the OpenID Connect Configuration Endpoint.

GET /oidc/.well-known/openid-configuration HTTP/1.1

The response will have a unique software_id that you can use for your OIDC registration request :

POST /oidc/register HTTP/1.1
Content-Type: application/json
Accept: application/json

By providing the software_id, AM client template’s metadata will be merged with the plain JSON elements to create the new client. AM 2.8 supports also OAuth 2.0 default scopes and allowed scopes that you can apply during the registration process.

Usernames and emails case-sensitivity

Starting from the 2.8, users created via the AM User Management or SCIM protocol see their username to be case sensitive.

That will prevent a situation where you have userA and usera in the system which refer to different users.

This a potential breaking change if you are using an older version of AM ! please be sure to follow the breaking change page before going further with this new version.

And more …

You can find the full changelog here and the list of deprecations and breaking changes here.

To discover all these new features, just follow the installation guide or start to play with by using Docker.

Waiting for your feedbacks, we would be happy to talk and help you from Gitter channel.

graviteeio Blog

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade