我正在寻找一种干净的方法在OpenAM 13.5的OIDC声明脚本中添加带有子声明( act 声明)的声明。
我找到了这个示例( may_act https://forum.forgerock.com/2018/04/token-exchange-and-delegation/的实现),我尝试在自定义脚本中重现它,但会导致错误。
def act = [:]
act.put("sub","test_value")
claimAttributes = [
"email": attributeRetriever.curry("mail"),
"address": { claim, identity, requested -> [ "formatted" : attributeRetriever("postaladdress", claim, identity, requested) ] },
"phone_number": attributeRetriever.curry("telephonenumber"),
"given_name": attributeRetriever.curry("givenname"),
"zoneinfo": attributeRetriever.curry("preferredtimezone"),
"family_name": attributeRetriever.curry("sn"),
"locale": attributeRetriever.curry("preferredlocale"),
"name": attributeRetriever.curry("cn"),
"act": act
]
// {scope}: [ {claim}, ... ]
scopeClaimsMap = [
"email": [ "email" ],
"address": [ "address" ],
"phone": [ "phone_number" ],
"profile": [ "given_name", "zoneinfo", "family_name", "locale", "name", "act" ]
]
似乎该解决方案仍然失败,其机制是稍后在脚本中实现的(请参阅链接中的第104行):https://framagit.org/teddyber/openam/blob/6abc59040d06d996c981e94b404d79f0b97e6b2b/openam-scripting/src/main/groovy/oidc-claims-extension.groovy
第一个解决方案会导致OAuth2Provider日志中的错误。
我还试图在脚本结尾之前插入声明,但这会导致无法读取JWT / id_token
computedClaims["act"] = act
return new UserInfoClaims((Map)computedClaims, (Map)compositeScopes)
您知道使用/保留在此脚本中实现的机制来实现此目的的第二种方法是什么吗?