I am following this article in terms of creating a custom claim and getting that value back in the access_token. I am able to see the claim when I hit the /claims endpoint. However when I hit the /token endpoint and I follow the Authorization Code Flow, and decode the access_token I don’t see the custom claim the way I supposed to see.
And you configured the claim to be included in the Access Token, not the ID Token right? Did you set it be included with any scope or only a specific one?
Another possible cause would be if the custom claim is mapped to an application or UD user profile attribute that is not populated for the user you are testing with. Any claim that evaluates to a null value will not be present in the token.
Thank you for the response. Yes, claims are configured to be included in Access Token. Attaching the screenshot of my claim for reference.
Also, just to make sure, I am getting this access token as part of the authorization code flow. My understanding is that the access token I get as part of the flow should contain the claim information.
One more thing, as part of the authorization code flow, the scopes I am requesting for as part of the redirect_uri is openid profile, not sure if I need include any other scopes for these claims to be shown.
What type of application are you working with and what value are you trying to pull into the token? My guess is that app.domain is evaluating as null, thus the claim is not being included in the token.
I am trying to pull in the anything unique to the app. For example, app name or app.clientid. I tried all types of app’s properties, but nothing seems to show up. In fact, I also used appuser.profile just to see if the claim is coming through in the token, which I know has value
Can you try using the following expression instead: app.clientId
If you are looking to include the application name or label, you will need to create a profile attribute for the application so that you can include it in a claim (a la app.profile.label). Complete details are provided in this help center article.
Are you ensuring that your application is correctly configured to reference the Custom Authorization Server where you created the claim (usually as the issuer or authority in OpenID Connect/OAuth integrations/libraries configurations), and not the Org Authorization Server or a different Custom Authorization Server?