OpenID Connect has been the cool cat on the JSON authorization cat walk for some time. A powerful extension to the basic authorization flows in OAuth2, by adding in an id_token. The id_token is a JWT (JSON Web Token, pronounced 'jot' but you knew that) that is cryptographically signed and sometimes encrypted - depending on the contents. The id_token is basically separate to the traditional access_token, containing details such as which authorization service issued the token, when the user or entity authenticated and when the token will expire. OpenAM has supported implementations for OpenID Connect for a while, but a more recent feature is the ability to add scripting support to the returnable claims. Adding scripting here, is a really powerful feature. Scripts can be either Groovy or JavaScript based, with a default Groovy script coming with OpenAM 13 out of the box. The script is basically allowing us to creatively map scopes into attribute data, either held on the user&
Recipes for Digital Identity & Security