androidopenid-connectpingfederateoidc-client

Encode my access token (JWT) with my own key value pair - Android


I am using a third-party identity provider (Ping Identity). I have configured the client_id, redirect_uri and discovery_uri in my OpenID connect client library (https://github.com/openid/AppAuth-Android).

I was able to successfully log in and got access_token and refresh_token. I am trying to embed some info in the access_token. But to encode i need the private key.

Question

I was wondering if there is an API that can be called with the help of the library that will encode it for me by calling the identity provider.

Thanks in advance :)


Solution

  • If custom claims are needed in access tokens, then they are usually included at the time of token issuance. Eg Ping Federate could make a JDBC connection to do this.

    If you are using an External IDP with no relationship to your data, then perhaps this is not possible. That is why the recommendation is to avoid using foreign access tokens. Note also that access tokens are only intended for APIs and it is recommended to avoid reading them directly in web or mobile clients.

    The usual technique is for the data owner to issue their own tokens after validating the external tokens, and adding any custom data / claims needed. Ideally use an Authorization Server for this, or perhaps your own API that acts as a token service, and which can store the token signing private key securely.