The CIAM Interop extension provides interoperability with CIAM systems past what Idura Verify supports out-of-the-box.

Synthesized Email Claims

Some CIAM systems require that OIDC providers always provide an email claim. Usually, eID providers do not provide emails. In order to enable the use of Idura Verify as a provider for these systems, the dummy_email_domain option can be used to synthesize the email claim where it does not exist.

If set, the extension will inspect the token claims and if no email is present in the input, add one with the value {user.sub}@{dummy_email_domain}. The user sub is a unique ID per user which is consistent between multiple logins on the same eID.

Verified Emails

While some systems only require that the email is set, some also require the email_verified claim to be true. If the force_email_verified flag is enabled, the extension will set the email_verified claim in addition to the email claim.

Dummy Email Domains must be enabled. The extension will not set the email_verified claim, if the email claim is already present in the input JWT.

Unnesting Nested Claims

Some CIAM providers do not support nested (object) claims in JWTs. The unnesting_namespace option can be used to flatten the incoming JWT.

If a unnesting_namespace is set, all nested claims (a.b.c) will be converted to namespaced claims ({unnesting_namespace}/a/b/c). Note: The unnesting namespace must begin with https://

For example, the OpenID standard address claim:

{
  "address": {
    "street_address": "value"
  }
}

will be flattened to:

{
  "{unnesting_namespace}/address/street_address": "value"
}