May be it's better to add another section with a header similar to "Security Best Practices" and include these details there as well.
Description (Optional):
Since tenant domain and user store domain are internal information exposing them as the local subject identifier in JWT access tokens and ID tokens raise the concern of exposing internal information to the outside. Thus, it is always recommended to add following configurations to remove those values from JWT tokens.
Instructions:
If you want to remove tenant domain from the access token subject identifier, then please add the following configuration to IS deployment.toml file
If you want to remove user store domain from the access token subject identifier, then please add the following configuration to IS deployment.toml file
If you want to remove any of the aforementioned internal information (tenant domain or/and user store domain) from ID tokens as well, in addition to aforementioned configurations, please add the following configuration as well to the IS deployment.toml.
For example, to remove both tenant domain and user store domain from JWT tokens (both access and ID tokens), add following configurations to the IS deplyment.toml file
Affected OB version:
OB3
Affected OB specifications:
Accelerator
Existing pages to be updated:
Accelerator Doc | Configuring Identity Server deployment.toml
May be it's better to add another section with a header similar to "Security Best Practices" and include these details there as well.
Description (Optional):
Since tenant domain and user store domain are internal information exposing them as the local subject identifier in JWT access tokens and ID tokens raise the concern of exposing internal information to the outside. Thus, it is always recommended to add following configurations to remove those values from JWT tokens.
Instructions:
If you want to remove tenant domain from the access token subject identifier, then please add the following configuration to IS deployment.toml file
If you want to remove user store domain from the access token subject identifier, then please add the following configuration to IS deployment.toml file
If you want to remove any of the aforementioned internal information (tenant domain or/and user store domain) from ID tokens as well, in addition to aforementioned configurations, please add the following configuration as well to the IS deployment.toml.
For example, to remove both tenant domain and user store domain from JWT tokens (both access and ID tokens), add following configurations to the IS deplyment.toml file
References:
https://github.com/wso2-enterprise/financial-open-banking/issues/8299
Labels:
300, Acceerator, Type/enhancement