Client Credentials Applications Custom Metadata

Hi.

I am currently evaluating Okta as our repository of client applications and I am finding it quite difficult to find an answer to this question: can we supply custom values per client on the JWT?

Here’s my usecase:

We are currently looking to build an API layer that wraps a third party vendor’s systems. We expect each client on Okta to have a dedicated username and password on the vendor’s systems, along with a set of values that would limit their access to the system (such as concurrent open connections, not requests, and so on).

We have already established a working POC using a custom-built Spring Boot OAuth2 server with a custom schema, and we are looking to achieve the same behaviour using Okta. The only part that I am missing is to include a set of claims within the JWT that is returned by Okta (including the client’s username and password on the vendor’s system). I get that perhaps we shouldn’t include such sensitive data on the JWT, however we are currently only trying to understand what is possible at this point.

Thanks you very much.

Justin

You can include custom claims in the jwt with Okta, but they are related to the user’s profile.

You could use the state parameter during an oauth flow with your own custom jwt. In addition to storing information to mitigate against [x|c]srf, you could put additional claims to identify the vendor’s information. (As you point out, it’s not a good idea to put sensitive information in a jwt)

This approach is defined in detail here: https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state-05

1 Like