oauth2: Removes unknown claims from userinfo endpoint

ory · Dec 10, 2017 · 16d1ea9 · 16d1ea9
1 parent e8e7aeb
commit 16d1ea9
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/oauth2/handler.go b/oauth2/handler.go
@@ -201,7 +201,17 @@ func (h *Handler) UserinfoHandler(w http.ResponseWriter, r *http.Request, _ http
 		return
 	}
 
-	h.H.Write(w, r, ar.GetSession().(*Session).IDTokenClaims().ToMap())
+	interim := ar.GetSession().(*Session).IDTokenClaims().ToMap()
+	delete(interim, "aud")
+	delete(interim, "iss")
+	delete(interim, "nonce")
+	delete(interim, "at_hash")
+	delete(interim, "c_hash")
+	delete(interim, "auth_time")
+	delete(interim, "iat")
+	delete(interim, "exp")
+
+	h.H.Write(w, r, interim)
 }
 
 // swagger:route POST /oauth2/revoke oAuth2 revokeOAuth2Token