fix: apply a filter on technical claims during id_token generation

fixes gravitee-io/issues#6674
gravitee-io · Dec 3, 2021 · 8de4e50 · 8de4e50
1 parent 209597a
commit 8de4e50
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/...ain/java/io/gravitee/am/gateway/handler/oidc/service/idtoken/impl/IDTokenServiceImpl.java b/...ain/java/io/gravitee/am/gateway/handler/oidc/service/idtoken/impl/IDTokenServiceImpl.java
@@ -87,6 +87,11 @@ public class IDTokenServiceImpl implements IDTokenService {
     @Autowired
     private UserService userService;
 
+    /**
+     * Set of claims to exclude from the IDToken
+     */
+    private static final Set<String> EXCLUDED_CLAIMS = Set.of(ConstantKeys.OIDC_PROVIDER_ID_TOKEN_KEY);
+
     @Override
     public Single<String> create(OAuth2Request oAuth2Request, Client client, User user, ExecutionContext executionContext) {
         // use or create execution context
@@ -193,7 +198,11 @@ private IDToken createIDTokenJWT(OAuth2Request oAuth2Request, Client client, Use
 
             // 3. If no claims requested, grab all user claims
             if (!requestForSpecificClaims) {
-                userClaims.forEach((k, v) -> idToken.addAdditionalClaim(k, v));
+                userClaims.forEach((k, v) -> {
+                    if (!EXCLUDED_CLAIMS.contains(k)) {
+                        idToken.addAdditionalClaim(k, v);
+                    }
+                });
             }
         }