Reputation: 3711
How to define list of user claims for OIDC /userinfo request
I have a custom UserStoreManager running in WSO2 Identity Server 5.0.0 as secondary user store.
It perfectly works for authenticating users.
When using it with an OpenID Connect authentication the expected claims are not returned to the client in the response of the /userinfo?schema=openid request.
Logging in the custom UserStoreManager reveals that method getUserPropertyValues() gets invoked with the following claim names:
["postalcode", "mail", "localityName", "sn", "cn", "nickName", "telephoneNumber", "gender", "givenName", "url", "country"]
The response to /userinfo request actually returns only claims from that list. It is not possible get other claims being returned.
What I don't understand is where this list comes from. The configured claim mapping for "http://wso2.org/oidc/claim" defines for example "postalcode" as "Supported by Default=false" and "Required=false". So I don't expect it to be in the list. On the other hand claim "sub" (or the name it is mapped to: "uid") is not in the list, but its definition in dialect "http://wso2.org/oidc/claim" is
- Claim Uri: sub
- Mapped Attribute (s): uid
- Supported by Default: true
- Required: true
Furthermore "sub" is a required claim by the definition of OIDC Spec (see http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse).
Where can the list of claims be defined that should be returned by a /userinfo?schema=openid request for a successfully authenticated user?
Upvotes: 3
Views: 1451
Answers (1)
Reputation: 301
Invoking userinfo endpoint we get the users attribute values for the claims listed under http://wso2.com/oidc/claim dialect.
In claim configurations we have claim uri and particular attribute in user store (Primary and default value for secondary user stores). Ex : http://wso2.org/oidc/claim/sub and its mapped attribute is uid
If secondary user store does not support for this default attribute value we have to configure it under mapped attribute. Ex :
secondary user store domain = SECONDARY_
supported attribute value fore sub = subject
Configuration for mapped attribute = uid;SECONDARY_/subject
Now you will get the correct attribute value list to getUserPropertyValues() method.
Following configurations are used in admin console profile management
Supported by Default = true In admin console this attributes is available to edit by default Required=true This attribute must filed when you updated user profile.
Upvotes: 2
Related Questions
- Search user by custom claim filter
- Add custom claims to JWT ACCESS TOKEN using OIDC & WSO2 IS
- WSO2 IS API to get userclaim of a service provider
- Claims are missing in OIDC SSO from WSO2IS-5.3.0
- WSO2 IS - How to get custom claims from WSO2 Identity Server via user-info rest service
- WSO2 Identity Server not returning requested claims with OAuth/OpenID
- How to get all User Profile Claims of a user in Wso2 Identity server
- WSO2 IS 5.1.0 as OAuth/OIDC IdP response with different claims on UserInfo endpoint
- WSO2 get user by claim value
- How can I add claim mapping in wso2is via configuration?