[Accelerator 4] Access token attributes cannot be added from IS console UI #887
Description
We have written FSDefaultOIDCClaimsCallbackHandler [1] extending DefaultOIDCClaimsCallbackHandler to add consent_id as a jwt access token claim. To engage this, we are setting enable_claims_separation_for_access_tokens = false in IS deployment.toml.
However, this overrides the default behavior in IS, because
-
Access token claims cannot be added when
enable_claims_separation_for_access_tokensis set to false. This is due to the logic at [2], where this configuration is checked before updating the access token claims. -
When enable_claims_separation_for_access_tokens
is set to false, IS defaultJWTAccessTokenOIDCClaimsHandler` is not engaged. This is due to the logic at [3], where it decides which claims handler to engaged based on the config.
Proposed Solution: Instead of using FSDefaultOIDCClaimsCallbackHandler, a JWTAccessTokenClaimProvider [4] can be added to set consent_id as a jwt access token claim. If we follow this approach, there is no need to set `enable_claims_separation_for_access_tokens' as false, and IS default behavior will be preserved.
OB Internal Ticket: https://github.com/wso2-enterprise/wso2-ob-internal/issues/1281