Can define additional claims on per-client basis

README.md

@@ -23,12 +23,27 @@ You can configure a list of clients (Relying Parties) in a `clients.yaml` file w
   secret: TOP_SECRET
   # The URL where user shall be redirected after authentication
   redirect_uri: https://mygit.mywebsite.com/
-  # If you want new accounts to be granted access to this client by default
+  # Optional, If you want new accounts to be granted access to this client by default
   default: true
-  # If you want the client to be granted to every user, regardless their account configuration
+  # Optional, If you want the client to be granted to every user, regardless their account configuration
   granted_to_all_users: true
-  # If you want users to have performed recent second factor authentication before accessing this client, set this setting to true
+  # Optional, If you want users to have performed recent second factor authentication before accessing this client, set this setting to true
   enforce_2fa_auth: true
+  # Optional, claims to be added to the ID token payload.
+  # The following placeholders can be set, they will the replaced when the token is created:
+  # * {username}: user name of the user
+  # * {mail}: email address of the user
+  # * {first_name}: first name of the user
+  # * {last_name}: last name of the user
+  # * {uid}: user id of the user
+  claims_id_token:
+    groups: ["group_{user}"]
+    service: "auth"
+  # Optional, claims to be added to the user info endpoint response
+  # The placeholders of `claims_id_token` can also be used here 
+  claims_user_info:
+    groups: ["group_{user}"]
+    service: "auth"
 ```
 
 On the first run, BasicOIDC will create a new administrator with credentials `admin` / `admin`. On first login you will have to change these default credentials.