Feature : Requesting claims using the claims request parameter

[tauinger-de]

Need claims in addition to scopes for OpenID Connect

Description

I am trying hard to get Twitch setup as an identity provider. However (as discussed in https://discuss.dev.twitch.tv/t/openid-connect-issues-using-fusionauth-scopes-are-not-provided/22627/3) Twitch doesn't support any other scope than "openid". To get access to the essential "email" claim this must be requested with another "claims" parameter such as &claims={"id_token":{"email":null,"email_verified":null},"userinfo":{"picture":null}}

To me it seems that Fusionauth does not support this -- which would mean that I cannot employ Twitch as a provider :(

Is there a workaround for this?

Related Specification

https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims section 5.5

[robotdan]

From what I understand from reading that thread is that the user:read:email scope (for example) will ensure that the JWT they send us back has enough privilege to read the user's email address when we request it from the User endpoint. ( https://api.twitch.tv/helix/users )

Here is the configuration I'm using
Twitch OpenID Connect discovery : https://id.twitch.tv/oauth2/.well-known/openid-configuration

Authorization https://id.twitch.tv/oauth2/authorize
Token: https://id.twitch.tv/oauth2/token
Userinfo : https://id.twitch.tv/oauth2/userinfo

When you configure the Twitch IdP you can either just specify https://id.twitch.tv/oauth2 as the issuer and we'll discover all of the endpoints, or you can manually enter each URL.

I can confirm that the Userinfo endpoint is not returning the email claim. Here the JSON response from Twitch.

{
  "aud" : "nxbhe55gj9twb9ld1q5j1pxrll4gmb",
  "exp" : 1569439555,
  "iat" : 1569438655,
  "iss" : "https://id.twitch.tv/oauth2",
  "nbf" : null,
  "sub" : "464160060",
  "jti" : null,
  "azp" : "nxbhe55gj9twb9ld1q5j1pxrll4gmb",
  "preferred_username" : "robotdan_fa"
}

Here is my configuration :

This is sort of strange because email is a registered OpenId Connect claim. I'll have to look at their documentation further to see if there is a way to request the email address.

[robotdan]

It does look like they document the claims parameter as was mentioned in the thread you posted.

https://dev.twitch.tv/docs/authentication/getting-tokens-oidc/#oidc-authorization-code-flow

This page lists out the default claims returned in the Userinfo response, this is consistent with what I'm seeing. https://dev.twitch.tv/docs/authentication/getting-tokens-oidc/#claims

According to their documentation, we would have to append another parameter to the request to Userinfo.

claims={"userinfo":{"email":null}}

We don't currently support adding additional request parameters to these requests.

This is a documented optional method to allow the caller to request particular claims. It is documented in section 5.5 in the OpenID Connect core spec. https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims

We could look at adding this capability so that we can work with Twitch and any other OIDC provider that may utilize this methodology.

[robotdan]

@tauinger-de I may have an easy fix for you.

As a test, I made a small change to the way we call the Authorize endpoint to allow request parameters to be added to the configured URL.

This way, I configured my Twitch IdP as follow for the Authorization endpoint:

https://id.twitch.tv/oauth2/authorize?claims=%7B%22userinfo%22%3A%7B%22email%22%3Anull%7D%7D

I added ?claims=%7B%22userinfo%22%3A%7B%22email%22%3Anull%7D%7D to the end of the endpoint to force this parameter on the request. %7B%22userinfo%22%3A%7B%22email%22%3Anull%7D%7 is the following JSON encoded {"userinfo":{"email":null}}.

We should probably support the claims request parameter configuration at some point, but I can ship this minor change in the upcoming patch release. I have verified this will work for a Twitch login.

Looks for Twitch to work in the upcoming patch release.

[tauinger-de]

Good morning, that sounds great! Thanks heaps for your efforts. Have you got a release date in mind?

[robotdan]

Opening a separate issue to track this small fix to make Twitch work with our current OpenId Connect configuration. We can use this issue to track the feature to add support for the claims request parameter during an Authorization request.

Issue #309

Good morning, that sounds great! Thanks heaps for your efforts. Have you got a release date in mind?

You're welcome. No date in mind, there are few minor fixes that I could probably get out in a small release. Maybe yet this week? Do you have an ideal timeline in mind?

[andrewpai]

Closing this issue, as it seems to be covered by #309 .