I want to include all of the claims in our secondary user store with the JWT generate by APIM. We are using implicit authentication for our current task, so the user does have to authenticate to the IS. We are using federated authentication with JIT provisioning.
I have enabled:
<ClaimsRetrieverImplClass>org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever</ClaimsRetrieverImplClass>
And set:
<ConsumerDialectURI>http://wso2.org/claims</ConsumerDialectURI>
And enabled:
<EnableTokenGeneration>true</EnableTokenGeneration>
But the JWT that is generated does not include the user's data, only the standard gateway claims, including enduser.
I have confirmed that the user is created in the DB and that the user's claims are in stored in the table UM_USER_ATTRIBUTE. I did notice that in the primary user store (not federated) UM_USER_ATTRIBUTE is empty and UM_CLAIM is populated. Could it be that the JIT provisioning is putting the data in a table not checked by the ClaimsManager?
How do I get the user's claims (like email) to show up in the JWT?
IS 5.0.0 APIM 1.8.0
For anyone interested, here are two leads that have put me on the path to solving my issues.
I had more success if the data was coming from the primary user store. I'm not convinced that it wouldn't work using a secondary user store, but I only had success after switching to the primary user store and I haven't tested switching back.
The JWT configuration needs to be done on the server that is performing the KeyManager duties. In our case we have IS serving as our KeyManager so we have to make the configuration changes to api-manager.xml on the IS server.