- Oracle Identity Cloud Service REST APIREST API for Oracle Identity Cloud Service
- Use Cases
- Managing Custom Claims
Managing Custom Claims
You can use the Oracle Identity Cloud Service REST API to add custom claims to an access token, an identity token, or both the tokens. Custom claims are rules that you can add to a token for the Oracle Identity Cloud Service tenant.
Note:
The custom claims feature is available with Oracle Identity Cloud Service Standard subscription and is disabled by default. You must contact Oracle Support Services to enable the feature for your Oracle Identity Cloud Service instance.https://tenant-base-url/admin/v1/CustomClaims/{id}
The following use case shows you how to:
-
Create a custom claim
-
Modify the custom claim
-
View the custom claim
-
Delete the custom claim
To manage the custom claim:
- Specify the headers on the cURL command line:
-H Authorization: Bearer <Access Token> -H Cache-Control: no-cache -H Accept:application/json
To obtain an access token, see Working with OAuth 2 to Access the REST API.
- Create the custom claim name
MyATCustomClaim
and valueMyATValue
for the access token by running the following command:curl -i -X POST https://tenant-base-url/admin/v1/CustomClaims
Example
curl -i -X POST https://tenant-base-url/admin/v1/CustomClaims
The following is an example of a JSON request body to create the custom claim:
{ "schemas": [ "urn:ietf:params:scim:schemas:oracle:idcs:CustomClaim" ], "name": "MyATCustomClaim", "value": "MyATValue", "expression": false, "mode": "always", "tokenType": "AT", "allScopes": true }
Attribute Description name
The custom claim name.
value
The custom claim value.
expression
Specify if the custom claim value is a user expression. You can determine the user expression by using the Users endpoints.
Value:
true
orfalse
Example User Expression
$user.name.formatted expression
with valueadmin opc
.$user.emails.0.type
expression with valuerecovery
.$user.emails.1.type
expression with valuework
.$user.urn:ietf:params:scim:schemas:oracle:idcs:extension:user:User.myCustomAttribute
expression with valuecustomValue
.
Based on user expressions, a claim returns either a single value attribute or all the attributes associated with the expression. For example, the following expressions return a single value within an array:$user.emails.0.value
$(user.emails[0].value)
While the following expressions return an array:$user.emails.*.value
$(user.emails[*].value)
allScopes
Specify if you want to associate the custom claim with a set of scopes or all the scopes.
Value:
true
orfalse
mode
Specify how you want to attach the custom claim to a token. always
: The custom claim will be attached to the token.
request
: The custom claim will be attached to the token only if it is requested or overridden.never
: The custom claim will not be attached to the token.
tokenType
Specify the token type.AT
: To add custom claim for an access token.IT
: To add custom claim for an identity token.BOTH
: To add custom claim for the access and identity token.
scopes
Optional. The Custom Claim will be embedded to tokens if any scope in the scopes array is requested in the token request. You can either specify
allScopes
equals totrue
with no associated scopes array or hasallScopes
equals tofalse
with associated scopes array.The following shows an example of the response body:
{ "schemas": [ "urn:ietf:params:scim:schemas:oracle:idcs:CustomClaim" ], "name": "MyATCustomClaim", "value": "MyATValue", "expression": false, "mode": "always", "tokenType": "AT", "allScopes": true, "id": "ddc7f88bea2a46258c593bddccaf2b86", "meta": { "created": "2019-05-17T04:33:43.640Z", "lastModified": "2019-05-17T04:33:43.640Z", "resourceType": "CustomClaim", "location": "https://tenant-base-url/admin/v1/CustomClaims/ddc7f88bea2a46258c593bddccaf2b86" }, "idcsCreatedBy": { "value": "bac027a9500c4db9a09f5cfbcbda5076", "type": "App", "display": "exampleDomainAdmin", "$ref": "https://tenant-base-url/admin/v1/Apps/bac027a9500c4db9a09f5cfbcbda5076" }, "idcsLastModifiedBy": { "value": "bac027a9500c4db9a09f5cfbcbda5076", "type": "App", "display": "exampleDomainAdmin", "$ref": "https://tenant-base-url/admin/v1/Apps/bac027a9500c4db9a09f5cfbcbda5076" } }
You can derive the user expression from the
/admin/v1/Users
endpoint. This is the JSON returned for an admin user.The values are parsed as String, and the bold in the sample shows how the values are derived for the following expressions.
Expression Value $user.name.formatted
"admin opc"
$user.emails.0.type
This expression and the next are an unlabelled array, with a number that starts from 0 to indicate the index of the element in the array.
"recovery"
$user.emails.1.type
"work"
$user.urn:ietf:params:scim:schemas:oracle:idcs:extension:user:User.myCustomAttribute
"customValue"
{ "idcsCreatedBy": { "type": "App", "display": "idcssm", "value": "32e72bc93b30417697f323d5fa7bbe2e", "$ref": "https://tenant1.identity.internal.oracle.com:8943/admin/v1/Apps/32e72bc93b30417697f323d5fa7bbe2e" }, "id": "60703e0bddcf4dae9add114179bf042d", "meta": { "created": "2018-11-08T02:39:01.932Z", "lastModified": "2018-11-13T09:44:55.668Z", "resourceType": "User", "location": "https://tenant1.identity.internal.oracle.com:8943/admin/v1/Users/60703e0bddcf4dae9add114179bf042d" }, "active": true, "displayName": "admin opc", "idcsLastModifiedBy": { "value": "f79371bb03914056821a8afb9da5066d", "display": "idcssso", "type": "App", "$ref": "https://tenant1.identity.internal.oracle.com:8943/admin/v1/Apps/f79371bb03914056821a8afb9da5066d" }, "nickName": "TAS_TENANT_ADMIN_USER", "userName": "admin@oracle.com", "urn:ietf:params:scim:schemas:oracle:idcs:extension:user:User": { "isFederatedUser": false, "myCustomAttribute": "customValue" }, "emails": [ { "verified": false, "primary": false, "secondary": false, "value": "admin@oracle.com", "type": "recovery" }, { "verified": false, "primary": true, "secondary": false, "value": "admin@oracle.com", "type": "work" } ], "urn:ietf:params:scim:schemas:oracle:idcs:extension:userState:User": { "locked": { "on": false } }, "name": { "familyName": "opc", "givenName": "admin", "formatted": "admin opc" } }
- Replace all the attributes for the custom claim id
ddc7f88bea2a46258c593bddccaf2b86
by running the following command:curl -i -X PUT https://tenant-base-url/admin/v1/CustomClaims/{id}
Example
curl -i -X PUT https://tenant-base-url/admin/v1/CustomClaims/246e8af829954faf8070602d51c45426
The following shows an example of the request body.
{ "schemas": [ "urn:ietf:params:scim:schemas:oracle:idcs:CustomClaim" ], "name": "MyATClaim1", "value": "MyATValue1", "expression": false, "mode": "request", "tokenType": "AT", "allScopes": true }
The following shows an example of the response indicating the request succeeded.
{ "idcsLastModifiedBy": { "type": "App", "value": "bac027a9500c4db9a09f5cfbcbda5076", "display": "exampleDomainAdmin", "$ref": "https://tenant-base-url/admin/v1/Apps/bac027a9500c4db9a09f5cfbcbda5076" }, "idcsCreatedBy": { "type": "App", "display": "exampleDomainAdmin", "value": "bac027a9500c4db9a09f5cfbcbda5076", "$ref": "https://tenant-base-url/admin/v1/Apps/bac027a9500c4db9a09f5cfbcbda5076" }, "mode": "request", "id": "ddc7f88bea2a46258c593bddccaf2b86", "value": "MyATValue1", "expression": false, "meta": { "created": "2019-05-17T04:33:43.640Z", "lastModified": "2019-05-17T04:41:13.177Z", "resourceType": "CustomClaim", "location": "https://tenant-base-url/admin/v1/CustomClaims/ddc7f88bea2a46258c593bddccaf2b86" }, "allScopes": true, "name": "MyATCustomClaim1", "tokenType": "AT", "schemas": [ "urn:ietf:params:scim:schemas:oracle:idcs:CustomClaim" ] }
- Set the
allScopes
tofalse
for the idddc7f88bea2a46258c593bddccaf2b86
by running the following command:curl -i -X PATCH https://tenant-base-url/admin/v1/CustomClaims/{id}
Example
curl -i -X PATCH https://tenant-base-url/admin/v1/CustomClaims/246e8af829954faf8070602d51c45426
The following shows an example of the request body.
{ "Operations": [ { "op": "replace", "path": "allScopes", "value": false } ], "schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ] }
The following shows an example of the response indicating the request succeeded.
{ "idcsLastModifiedBy": { "type": "User", "value": "210d294a075a4c86bbf6f958bceacf0c", "display": "admin opc", "$ref": "https://tenant-base-url/admin/v1/Users/ddc7f88bea2a46258c593bddccaf2b86" }, "idcsCreatedBy": { "type": "User", "display": "admin opc", "value": "ddc7f88bea2a46258c593bddccaf2b86", "$ref": "https://tenant-base-url/admin/v1/Users/210d294a075a4c86bbf6f958bceacf0c" }, "mode": "always", "id": "98e94996776845719cf3b737e565199a", "value": "MyATValue", "expression": false, "meta": { "created": "2019-05-31T05:43:32.518Z", "lastModified": "2019-05-31T05:58:10.362Z", "resourceType": "CustomClaim", "location": "https://tenant-base-url/admin/v1/CustomClaims/98e94996776845719cf3b737e565199a" }, "allScopes": false, "name": "MyATCustomClaim", "tokenType": "AT", "scopes": [ "phone" ], "schemas": [ "urn:ietf:params:scim:schemas:oracle:idcs:CustomClaim" ] }
- View all the custom claims in the tenant by running the following command:
curl -i -X GET https://tenant-base-url/admin/v1/CustomClaims
Example
curl -i -X GET https://tenant-base-url/admin/v1/CustomClaims
The following shows an example of the response body.{ "schemas": [ "urn:ietf:params:scim:api:messages:2.0:ListResponse" ], "totalResults": 5, "Resources": [ { "idcsLastModifiedBy": { "type": "App", "value": "bac027a9500c4db9a09f5cfbcbda5076", "display": "exampleDomainAdmin", "$ref": "https://tenant-base-url/admin/v1/Apps/bac027a9500c4db9a09f5cfbcbda5076" }, "idcsCreatedBy": { "type": "App", "display": "exampleDomainAdmin", "value": "bac027a9500c4db9a09f5cfbcbda5076", "$ref": "https://tenant-base-url/admin/v1/Apps/bac027a9500c4db9a09f5cfbcbda5076" }, "mode": "always", "id": "edf077cbae59435dab3f9de5ba1fd619", "value": "AlwaysAllScopesATValue", "expression": false, "meta": { "created": "2019-05-17T04:16:15.121Z", "lastModified": "2019-05-17T04:16:15.121Z", "resourceType": "CustomClaim", "location": "https://tenant-base-url/admin/v1/CustomClaims/edf077cbae59435dab3f9de5ba1fd619" }, "allScopes": true, "name": "AlwaysAllScopesATClaim10", "tokenType": "AT", "schemas": [ "urn:ietf:params:scim:schemas:oracle:idcs:CustomClaim" ] }, { "idcsLastModifiedBy": { "type": "App", "value": "bac027a9500c4db9a09f5cfbcbda5076", "display": "exampleDomainAdmin", "$ref": "https://tenant-base-url/admin/v1/Apps/bac027a9500c4db9a09f5cfbcbda5076" }, "idcsCreatedBy": { "type": "App", "display": "exampleDomainAdmin", "value": "bac027a9500c4db9a09f5cfbcbda5076", "$ref": "https://tenant-base-url/admin/v1/Apps/bac027a9500c4db9a09f5cfbcbda5076" }, "mode": "request", "id": "ddc7f88bea2a46258c593bddccaf2b86", "value": "MyATValue1", "expression": false, "meta": { "created": "2019-05-17T04:33:43.640Z", "lastModified": "2019-05-17T04:41:13.177Z", "resourceType": "CustomClaim", "location": "https://tenant-base-url/admin/v1/CustomClaims/ddc7f88bea2a46258c593bddccaf2b86" }, "allScopes": true, "name": "MyATCustomClaim1", "tokenType": "AT", "schemas": [ "urn:ietf:params:scim:schemas:oracle:idcs:CustomClaim" ] }, { "idcsLastModifiedBy": { "type": "App", "value": "bac027a9500c4db9a09f5cfbcbda5076", "display": "exampleDomainAdmin", "$ref": "https://tenant-base-url/admin/v1/Apps/bac027a9500c4db9a09f5cfbcbda5076" }, "idcsCreatedBy": { "type": "App", "display": "exampleDomainAdmin", "value": "bac027a9500c4db9a09f5cfbcbda5076", "$ref": "https://tenant-base-url/admin/v1/Apps/bac027a9500c4db9a09f5cfbcbda5076" }, "mode": "always", "id": "150d1eae9f0f4301a22312bd680aa4df", "value": "MyATValue", "expression": false, "meta": { "created": "2019-05-17T04:43:43.091Z", "lastModified": "2019-05-17T04:43:43.091Z", "resourceType": "CustomClaim", "location": "https://tenant-base-url/admin/v1/CustomClaims/150d1eae9f0f4301a22312bd680aa4df" }, "allScopes": true, "name": "MyATCustomClaim", "tokenType": "AT", "schemas": [ "urn:ietf:params:scim:schemas:oracle:idcs:CustomClaim" ] }, { "idcsLastModifiedBy": { "type": "App", "value": "bac027a9500c4db9a09f5cfbcbda5076", "display": "exampleDomainAdmin", "$ref": "https://tenant-base-url/admin/v1/Apps/bac027a9500c4db9a09f5cfbcbda5076" }, "idcsCreatedBy": { "type": "App", "display": "exampleDomainAdmin", "value": "bac027a9500c4db9a09f5cfbcbda5076", "$ref": "https://tenant-base-url/admin/v1/Apps/bac027a9500c4db9a09f5cfbcbda5076" }, "mode": "never", "id": "2680b220be904698b43575e3d654a88c", "value": "MyATValue2", "expression": false, "meta": { "created": "2019-05-17T04:44:40.777Z", "lastModified": "2019-05-17T04:44:40.777Z", "resourceType": "CustomClaim", "location": "https://tenant-base-url/admin/v1/CustomClaims/2680b220be904698b43575e3d654a88c" }, "allScopes": true, "name": "MyATCustomClaim2", "tokenType": "AT", "schemas": [ "urn:ietf:params:scim:schemas:oracle:idcs:CustomClaim" ] }, { "idcsLastModifiedBy": { "type": "App", "value": "bac027a9500c4db9a09f5cfbcbda5076", "display": "exampleDomainAdmin", "$ref": "https://tenant-base-url/admin/v1/Apps/bac027a9500c4db9a09f5cfbcbda5076" }, "idcsCreatedBy": { "type": "App", "display": "exampleDomainAdmin", "value": "bac027a9500c4db9a09f5cfbcbda5076", "$ref": "https://tenant-base-url/admin/v1/Apps/bac027a9500c4db9a09f5cfbcbda5076" }, "mode": "never", "id": "2c92cb2c39ce40bfba09e002f6a1358e", "value": "MyATValue3", "expression": false, "meta": { "created": "2019-05-17T04:45:42.926Z", "lastModified": "2019-05-17T04:45:42.926Z", "resourceType": "CustomClaim", "location": "https://tenant-base-url/admin/v1/CustomClaims/2c92cb2c39ce40bfba09e002f6a1358e" }, "allScopes": false, "name": "MyATCustomClaim3", "tokenType": "BOTH", "schemas": [ "urn:ietf:params:scim:schemas:oracle:idcs:CustomClaim" ] } ], "startIndex": 1, "itemsPerPage": 50 }
- View the custom claims in a tenant by providing the query parameter.
curl -i -X GET https://tenant-base-url/admin/v1/CustomClaims?attributes=(schema attributes)
Example
curl -i -X GET https://tenant-base-url/admin/v1/CustomClaims?attributes=request
The following shows an example of the response body after providing the query parameter
?attributes=request
:{ "schemas": [ "urn:ietf:params:scim:api:messages:2.0:ListResponse" ], "totalResults": 4, "Resources": [ { "name": "AlwaysAllScopesATClaim10", "id": "edf077cbae59435dab3f9de5ba1fd619", "value": "AlwaysAllScopesATValue" }, { "name": "MyATCustomClaim1", "id": "ddc7f88bea2a46258c593bddccaf2b86", "value": "MyATValue1" }, { "name": "MyATCustomClaim", "id": "150d1eae9f0f4301a22312bd680aa4df", "value": "MyATValue" }, { "name": "MyATCustomClaim2", "id": "2680b220be904698b43575e3d654a88c", "value": "MyATValue2" } ], "startIndex": 1, "itemsPerPage": 50 }
- Optionally, delete the custom claim from the tenant by running the following command:
curl -i -X DELETE https://tenant-base-url/admin/v1/CustomClaims/{id}
Example
curl -i -X DELETE https://tenant-base-url/admin/v1/CustomClaims/246e8af829954faf8070602d51c45426