For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Niels_van_Sluis's avatar
Niels_van_Sluis
Icon for MVP rankMVP
May 02, 2019

Okay, what I found out is that claims like 

given_name
and 
name
are part of a defined scope named 
profile
(See section 5.4 of https://openid.net/specs/openid-connect-core-1_0.htmlUserInfoResponse). So the Authorization Server will only pass these claims when the Resource Owner (end-user) grants access to the 
profile
scope.

This is what I had to do to get it working:

  • create a scope named 
    profile

  • add scope OAuth Authorization agent in the VPE

The 

given_name
claim is now also shown in the 
session.assigned.oauth.authz.userinfo.claim_data
session variable. See below.

May  2 12:51:20 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:a78f6aa7: Session variable 'session.assigned.oauth.authz.userinfo.claim.given_name' set to 'Niels'
May  2 12:51:20 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:a78f6aa7: Session variable 'session.assigned.oauth.authz.userinfo.claim.test_claim' set to 'Niels'
May  2 12:51:20 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:a78f6aa7: Session variable 'session.assigned.oauth.authz.userinfo.claim_data' set to '"given_name": "Niels", "test_claim": "Niels"'
May  2 12:51:20 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:a78f6aa7: Session variable 'session.assigned.oauth.authz.userinfo.claims' set to 'given_name test_claim'
Related Content