33 lines
1.4 KiB
Text
33 lines
1.4 KiB
Text
[id="mapping-organization-claims_{context}"]
|
|
|
|
= Mapping organization claims
|
|
[role="_abstract"]
|
|
To map organization-specific claims into tokens, a client needs to request the *organization* scope when sending
|
|
authorization requests to the server. When authenticating in the context of an organization, clients can request the `organization` scope to map to tokens information
|
|
about the organizations the user is a member.
|
|
|
|
As a result, the token will contain a claim as follows:
|
|
|
|
```json
|
|
"organization": {
|
|
"acme": {}
|
|
}
|
|
```
|
|
|
|
The organization claim can be used by clients (for example, from ID Tokens) and resource servers (for example, from access tokens)
|
|
to authorize access to protected resources based on the organization where the user is a member.
|
|
|
|
The `organization` scope is a built-in optional client scope at the realm. Therefore, this scope is added to any client created
|
|
in the realm, by default.
|
|
|
|
The `organization` scope is requested using different formats:
|
|
|
|
[cols="2*", options="header"]
|
|
|===
|
|
|Format
|
|
|Description
|
|
| `organization` | Maps to a single organization if the user is a member of a single organization.
|
|
Otherwise, if a member of multiple organizations, the user will be prompted to select an organization when authenticating to the realm.
|
|
| `organization:<alias>` | Maps to a single organization with the given alias.
|
|
| `organization:*` | Maps to all organizations the user is a member of.
|
|
|===
|