Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attributes with the type SubjectDerivedAttribute not passed to id_token or userinfo #43

Closed
psagne opened this issue Feb 17, 2020 · 4 comments
Closed

Attributes with the type SubjectDerivedAttribute not passed to id_token or userinfo #43

psagne opened this issue Feb 17, 2020 · 4 comments

Comments

@psagne
Copy link

psagne commented Feb 17, 2020
edited

We have some attributes which are passed from the authentication phase and retrieved using the SubjectDerivedAttribute definition.

It works without any problem using SAML. They are also resolved at the "authorize" step.
But the values are not resolved at the token or userinfo steps. There is just 0 values.

An example of the definitions we use :

    <AttributeDefinition id="email" xsi:type="SubjectDerivedAttribute" principalAttributeName="mail">
        <AttributeEncoder xsi:type="oidcext:OIDCString" name="email"  placeToIDToken="true" denyUserinfo="false"/>
    </AttributeDefinition>
@psagne
Copy link
Author

psagne commented Feb 19, 2020

After reading the doc a little better, i added setToToken="true" to the AttributeEncoder, like this :

<AttributeDefinition id="email" xsi:type="SubjectDerivedAttribute" principalAttributeName="mail">
    <AttributeEncoder xsi:type="oidcext:OIDCString" name="email"  placeToIDToken="true" denyUserinfo="false" setToToken="true"/>
</AttributeDefinition>

In the DEBUG log, i see that the value is encoded into the authorization code, but not in the access token, so it is still not returned by the userinfo endpoint.

@psagne
Copy link
Author

psagne commented Feb 19, 2020

With a little more digging :

  • the attributes defined this way are encoded inside the authz code in the "dl_claims_ui" and "dl_claims_id" fields but the "dl_claims" field is empty
  • the attributes are present inside the id_token
  • inside the access token, the "dl_claims_ui" and "dl_claims" fields are both empty
  • as a result, the userinfo endpoint returns none of these attributes.
    It seems like the generation of the access token tries only to get values from the attribute resolver without taking care of the "dl_claims_ui" values encoded inside the authz code
    Precision : I am using the v1.1.0 of the extension with Shibboleth IdP 3.4.6

@psagne
Copy link
Author

psagne commented Feb 20, 2020

With the implicit flow, it works as advised : the attributes defined with setToToken are properly encoded inside the token and returned by userinfo. So I really think the problem really is passing the values from the code to the token in the "authorization code" flow.

@hjmikkon
Copy link
Collaborator

Finally got this replicated and resolved. Thank you very much for the analysis: in short it was all about token-endpoint ignoring the dl_claims_ui claims encoded in the authorization code.

The fix will be released in v1.1.1 and also for IDP4-compatible 2.0.0.

hjmikkon added a commit that referenced this issue Mar 10, 2020
@hjmikkon
Token flow now exploits user info claims from code, fixes #43.
35f8b8d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hjmikkon @psagne