Forum Discussion
AltostratusOAuth 2.0, OpenID Connect and claims
In my lab I'm playing with OAuth 2.0 and OpenID Connect. In my setup I've configured both a Authorisation Server VS and a Resource Server VS. I'm using a separate client running on a linux box. This is a simple PHP OpenID Connect Basic Client (https://github.com/jumbojett/OpenID-Connect-PHP).
The authentication and authorization is working, but I have some problems with the userinfo claims. It seems that some claims are not working. These seem to be claims that are maybe reserved like 'given_name' and 'name'. Other claims like 'test' or 'test_claim' are working fine. My question is, how can I add claims like 'given_name' or 'name'? I think these would be valid userinfo claims to be requested by the client.
Here basic example what the client looks like:
setVerifyHost(false);
$oidc->setVerifyPeer(false);
$oidc->authenticate();
$givenName = $oidc->requestUserInfo('given_name');
$testClaim = $oidc->requestUserInfo('test_claim');
?>
Example OpenID Connect Client Use
givenName:
testClaim:
The result is that
$givenName$testClaimHere some more info from the APM logfile. You can see that the given_name claim isn't added to the
session variable.session.assigned.oauth.authz.userinfo.claim_dataMay 1 15:28:33 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:bd525cb7: Session variable 'session.assigned.oauth.authz.userinfo.claim.given_name' set to 'Niels' May 1 15:28:33 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:bd525cb7: Session variable 'session.assigned.oauth.authz.userinfo.claim.test_claim' set to 'Niels' May 1 15:28:33 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:bd525cb7: Session variable 'session.assigned.oauth.authz.userinfo.claim_data' set to '"test_claim": "Niels"' May 1 15:28:33 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:bd525cb7: Session variable 'session.assigned.oauth.authz.userinfo.claims' set to 'given_name test_claim'Okay, what I found out is that claims like
andgiven_name
are part of a defined scope namedname
(See section 5.4 of https://openid.net/specs/openid-connect-core-1_0.htmlUserInfoResponse). So the Authorization Server will only pass these claims when the Resource Owner (end-user) grants access to theprofile
scope.profileThis is what I had to do to get it working:
- create a scope named
profile
- add scope OAuth Authorization agent in the VPE
The
claim is now also shown in thegiven_name
session variable. See below.session.assigned.oauth.authz.userinfo.claim_dataMay 2 12:51:20 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:a78f6aa7: Session variable 'session.assigned.oauth.authz.userinfo.claim.given_name' set to 'Niels' May 2 12:51:20 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:a78f6aa7: Session variable 'session.assigned.oauth.authz.userinfo.claim.test_claim' set to 'Niels' May 2 12:51:20 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:a78f6aa7: Session variable 'session.assigned.oauth.authz.userinfo.claim_data' set to '"given_name": "Niels", "test_claim": "Niels"' May 2 12:51:20 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:a78f6aa7: Session variable 'session.assigned.oauth.authz.userinfo.claims' set to 'given_name test_claim'- create a scope named
