Skip to content

Manage OpenID Connect attribute mappings

You can map OpenID Connect attributes to default attributes in the organization. This allows applications that implement OpenID Connect login to receive user information in the ID token.

View OpenID Connect attributes

To view the OpenID Connect attributes available for your organization:

  1. On the WSO2 Identity Server Console, go to User Attributes & Stores > Attributes > Manage Attribute Mappings.
  2. Click OpenID Connect.

View OpenID Connect attributes

You can find the mapped OpenID Connect attributes.

Add an OpenID Connect attribute

WSO2 Identity Server supports some OpenID Connect attributes by default. You can add new OpenID Connect attributes as follows:

  1. On the WSO2 Identity Server Console, go to User Attributes & Stores > Attributes > Manage Attribute Mappings.
  2. Click OpenID Connect > New Attribute.
  3. Enter values for the following properties:

    Add OpenID Connect attributes

    OpenID Connect Attribute The OpenID Connect attribute name that will be shared with applications in the ID token and userinfo responses.
    User attribute to map to Select the default attribute that should be mapped to the new OIDC attribute.

  4. Click Save.

For example, shown below is an OpenID Connect attribute mapped to a user attribute in WSO2 Identity Server:

OpenID Connect Attribute User attribute to map to
email_home http://wso2.org/claims/emails.home

You need to enable email_home as a requested attribute for your application and also add it to an OIDC scope. You can then configure your application to receive this user information when a user signs in.

After user authentication, you can find the email_home claim in the ID token, as shown below.

{
  "isk": "69b37037a2349763dc48e2a30a62c3feebf0b5823cf869e149352737ddc0ca63",
  "at_hash": "7qgloEmkz3kGBTtH7RI4qw",
  "sub": "[email protected]",
  "amr": [
    "BasicAuthenticator"
  ],
  "iss": "https://localhost:9443/oauth2/token",
  "given_name": "alice",
  "sid": "5580be2b-a12d-43a4-823a-9d1352b88269",
  "aud": "UEP40cZTZfxJfGdDWFmTrwqluxoa",
  "c_hash": "VlKxb3UhuYtFEG_VftAa0g",
  "nbf": 1625557031,
  "azp": "UEP40cZTZfxJfGdDWFmTrwqluxoa",
  "nickname": "nick",
  "exp": 1625560631,
  "iat": 1625557031,
  "family_name": "john"
  "email_home": "[email protected]"
}

Delete an OpenID Connect attribute

To delete the OpenID Connect attributes available in your organization:

  1. On the WSO2 Identity Server Console, go to User Attributes & Stores > Attributes.
  2. Under Manage Attribute Mappings, click OpenID Connect.
  3. Select the attribute you wish to delete.
  4. Click Delete and select the checkbox to confirm your action.
  5. Click Confirm.

Note

Only custom attributes can be deleted.