Forum Discussion

Niels_van_Slui1's avatar
Niels_van_Slui1
Icon for Altostratus rankAltostratus
May 01, 2019

OAuth 2.0, OpenID Connect and claims

In my lab I'm playing with OAuth 2.0 and OpenID Connect. In my setup I've configured both a Authorisation Server VS and a Resource Server VS. I'm using a separate client running on a linux box. This is a simple PHP OpenID Connect Basic Client (https://github.com/jumbojett/OpenID-Connect-PHP).

The authentication and authorization is working, but I have some problems with the userinfo claims. It seems that some claims are not working. These seem to be claims that are maybe reserved like 'given_name' and 'name'. Other claims like 'test' or 'test_claim' are working fine. My question is, how can I add claims like 'given_name' or 'name'? I think these would be valid userinfo claims to be requested by the client.

Here basic example what the client looks like:

setVerifyHost(false);
$oidc->setVerifyPeer(false);

$oidc->authenticate();
$givenName = $oidc->requestUserInfo('given_name');
$testClaim = $oidc->requestUserInfo('test_claim');
?>



    Example OpenID Connect Client Use
        



    
        givenName: 
        testClaim: 
    



The result is that

$givenName
remains empty, while
$testClaim
will show the givenname. Both claims have been configured the same on the BIG-IP. What could be wrong? I'm using 14.1.0.3.

2 Replies

  • Here some more info from the APM logfile. You can see that the given_name claim isn't added to the

    session.assigned.oauth.authz.userinfo.claim_data
    session variable.

    May  1 15:28:33 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:bd525cb7: Session variable 'session.assigned.oauth.authz.userinfo.claim.given_name' set to 'Niels'
    May  1 15:28:33 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:bd525cb7: Session variable 'session.assigned.oauth.authz.userinfo.claim.test_claim' set to 'Niels'
    May  1 15:28:33 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:bd525cb7: Session variable 'session.assigned.oauth.authz.userinfo.claim_data' set to '"test_claim": "Niels"'
    May  1 15:28:33 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:bd525cb7: Session variable 'session.assigned.oauth.authz.userinfo.claims' set to 'given_name test_claim'
    
  • Okay, what I found out is that claims like

    given_name
    and
    name
    are part of a defined scope named
    profile
    (See section 5.4 of https://openid.net/specs/openid-connect-core-1_0.htmlUserInfoResponse). So the Authorization Server will only pass these claims when the Resource Owner (end-user) grants access to the
    profile
    scope.

    This is what I had to do to get it working:

    • create a scope named
      profile

    • add scope OAuth Authorization agent in the VPE

    The

    given_name
    claim is now also shown in the
    session.assigned.oauth.authz.userinfo.claim_data
    session variable. See below.

    May  2 12:51:20 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:a78f6aa7: Session variable 'session.assigned.oauth.authz.userinfo.claim.given_name' set to 'Niels'
    May  2 12:51:20 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:a78f6aa7: Session variable 'session.assigned.oauth.authz.userinfo.claim.test_claim' set to 'Niels'
    May  2 12:51:20 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:a78f6aa7: Session variable 'session.assigned.oauth.authz.userinfo.claim_data' set to '"given_name": "Niels", "test_claim": "Niels"'
    May  2 12:51:20 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:a78f6aa7: Session variable 'session.assigned.oauth.authz.userinfo.claims' set to 'given_name test_claim'