Shibboleth IDP for OAuth2

Florian Ritterhoff ritterhoff.florian at
Tue Aug 9 15:50:39 UTC 2022

Well okay. Thanks for the explanations.

Regarding the access_token: So far the desired attributes are available 
in the userinfo Endpoint so I guess that my attribute registry/filter 
should be okay? The access_token only contains a very basic set of 
"sub", "aud", "root_jti", "auth_time", "scope", "iss", "for_op", "exp", 
"iat", "client_id", "jti" claim.

Is there maybe any special setting that I could check?


Florian Ritterhoff

Am 09.08.2022 um 16:55 schrieb Cantor, Scott via users:
> Any custom claims that get past the attribute filter and that don't collide with reserved claim names (or that are mapped to other claim names via the registry layer) will be added to the access token if it's in JWT format, that's automatic.
> If they're not present, they weren't resolved (or couldn't be resolved on the token endpoint and needed to be embedded in the authorization code instead), or weren't released by the filter.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4816 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the users mailing list