After a successful authentication and authorization step, ProAuth is issuing the requested tokens with appropriate claims. The claims which are included in the issued tokens can be customized with the claim rule engine. However, mandatory or sensitive claims (i.e. sub) cannot be modified by the claim rule engine.
The purpose of the claim rule engine is:
- filter not needed / not wanted claims
- change a claim’s type or value based on conditions
- add new claims based on conditions
- define the claim target (ID Token, Access Token, or both)
Before the tokens are issued, all the claims (ProAuth Claims, Claims from federated identity provider) are processed by the claim rule engine. Only the resulting claims are added to the to be issued tokens.