Skip to content

Latest commit



77 lines (58 loc) · 4.24 KB

File metadata and controls

77 lines (58 loc) · 4.24 KB


This extension populates OpenID connect ID token with additional claims from a RDBMS. This is useful when claims from none userstore source need to be inserted into the ID token.


Make sure followings are installed properly.

Step 1: Building the extension

Clone this repository.

git clone

Go to wso2-is-custom-claim-provider directory and execute maven build command.

mvn clean install

The extension will be available in target directory on successful build. Copy the extension(custom-claim-provider-6.0.53.jar) to WSO2_IS_HOME/repository/components/dropins/.

Step 2: Setting up Database

In this guide we are going to use postgres database. Create a database user_role_db. Use dbscript/schema.sql to create table under the database. Execute dbscript/data.sql to populate with sample data.

Step 3: Setting up WSO2 Identity Server

Do the basic WSO2 identity server installation as mentioned in prerequisites. Download postgresql java driver and copy to WSO2_IS_HOME/repository/components/lib/. Modify the host,port and database name in url,username and password in conf/roles-datasources.xml according to the postgres installation and Step 2. Copy the modified conf/roles-datasources.xml to WSO2_IS_HOME/repository/conf/datasources/. Finally restart the WSO2 Identity Server.

Step 5: Testing

Create users alex and john from management console and assign default admin role. Create an OAuth/OpenID Connect service provider and get ClientID and ClientSecret for testing purpose. Get ID token by invoking following command from a terminal after updating the parameters according to registered user alex and the service provider.

curl -k -d "grant_type=password&username=alex&password=Admin@123" -H "Authorization: Basic base64encode(clientID:ClientSecret)" -H "Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token



Followings will be the claim section of decoded ID token

 "at_hash": "WjeF-jowxQTurBagp0MRrQ",
 "aud": "FFlZgWzp0fPME_269JWjfffqfLka",
 "sub": "alex",
 "nbf": 1555565861,
 "azp": "FFlZgWzp0fPME_269JWjfffqfLka",
 "amr": [
 "iss": "https://localhost:9443/oauth2/token",
 "permission": {
   "rdb_role": {
     "action": "read"
   "spark_role": {
     "action": "admin,read"
 "exp": 1555569461,
 "iat": 1555565861

Note that the permission claim is added by the custom claim provider.