Shibboleth IDP for OAuth2
cantor.2 at osu.edu
Tue Aug 9 18:40:01 UTC 2022
> Is there maybe any special setting that I could check?
I suspect you're issuing a first-party (OP only) token here. If the audience set is empty, the OP is only issuing tokens to itself, which means a) they shouldn't need be JWTs and b) they definitely don't need any custom claims.
If a resource server is identified and is an acceptable token audience, then the code behaves very differently and will include other claims, allow for encryption, etc.
More information about the users