Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

OAuth 2.0, OpenID Connect and claims

Niels_van_Slui1
Altostratus
Altostratus

In my lab I'm playing with OAuth 2.0 and OpenID Connect. In my setup I've configured both a Authorisation Server VS and a Resource Server VS. I'm using a separate client running on a linux box. This is a simple PHP OpenID Connect Basic Client (https://github.com/jumbojett/OpenID-Connect-PHP).

 

The authentication and authorization is working, but I have some problems with the userinfo claims. It seems that some claims are not working. These seem to be claims that are maybe reserved like 'given_name' and 'name'. Other claims like 'test' or 'test_claim' are working fine. My question is, how can I add claims like 'given_name' or 'name'? I think these would be valid userinfo claims to be requested by the client.

 

Here basic example what the client looks like:

 

setVerifyHost(false); $oidc->setVerifyPeer(false); $oidc->authenticate(); $givenName = $oidc->requestUserInfo('given_name'); $testClaim = $oidc->requestUserInfo('test_claim'); ?> Example OpenID Connect Client Use givenName: testClaim:

The result is that $givenName remains empty, while $testClaim will show the givenname. Both claims have been configured the same on the BIG-IP. What could be wrong? I'm using 14.1.0.3.

 

2 REPLIES 2

Here some more info from the APM logfile. You can see that the given_name claim isn't added to the session.assigned.oauth.authz.userinfo.claim_data session variable.

 

May 1 15:28:33 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:bd525cb7: Session variable 'session.assigned.oauth.authz.userinfo.claim.given_name' set to 'Niels' May 1 15:28:33 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:bd525cb7: Session variable 'session.assigned.oauth.authz.userinfo.claim.test_claim' set to 'Niels' May 1 15:28:33 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:bd525cb7: Session variable 'session.assigned.oauth.authz.userinfo.claim_data' set to '"test_claim": "Niels"' May 1 15:28:33 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:bd525cb7: Session variable 'session.assigned.oauth.authz.userinfo.claims' set to 'given_name test_claim'

Okay, what I found out is that claims like given_name and name are part of a defined scope named profile (See section 5.4 of https://openid.net/specs/openid-connect-core-1_0.htmlUserInfoResponse). So the Authorization Server will only pass these claims when the Resource Owner (end-user) grants access to the profile scope.

 

This is what I had to do to get it working:

 

  • create a scope named profile

0691T000006AuE1QAK.png

 

  • add scope OAuth Authorization agent in the VPE

0691T000006AuE2QAK.png

 

The given_name claim is now also shown in the session.assigned.oauth.authz.userinfo.claim_data session variable. See below.

 

May 2 12:51:20 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:a78f6aa7: Session variable 'session.assigned.oauth.authz.userinfo.claim.given_name' set to 'Niels' May 2 12:51:20 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:a78f6aa7: Session variable 'session.assigned.oauth.authz.userinfo.claim.test_claim' set to 'Niels' May 2 12:51:20 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:a78f6aa7: Session variable 'session.assigned.oauth.authz.userinfo.claim_data' set to '"given_name": "Niels", "test_claim": "Niels"' May 2 12:51:20 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:a78f6aa7: Session variable 'session.assigned.oauth.authz.userinfo.claims' set to 'given_name test_claim'