OAuth 2.0, OpenID Connect and claims

Niels_van_Slui1 · ‎01-May-2019

In my lab I'm playing with OAuth 2.0 and OpenID Connect. In my setup I've configured both a Authorisation Server VS and a Resource Server VS. I'm using a separate client running on a linux box. This is a simple PHP OpenID Connect Basic Client (https://github.com/jumbojett/OpenID-Connect-PHP).

The authentication and authorization is working, but I have some problems with the userinfo claims. It seems that some claims are not working. These seem to be claims that are maybe reserved like 'given_name' and 'name'. Other claims like 'test' or 'test_claim' are working fine. My question is, how can I add claims like 'given_name' or 'name'? I think these would be valid userinfo claims to be requested by the client.

Here basic example what the client looks like:

setVerifyHost(false);
$oidc->setVerifyPeer(false);

$oidc->authenticate();
$givenName = $oidc->requestUserInfo('given_name');
$testClaim = $oidc->requestUserInfo('test_claim');
?>



    Example OpenID Connect Client Use
        



    
        givenName: 
        testClaim:

The result is that

$givenName

remains empty, while

$testClaim

will show the givenname. Both claims have been configured the same on the BIG-IP. What could be wrong? I'm using 14.1.0.3.

Niels_van_Sluis · ‎01-May-2019

Here some more info from the APM logfile. You can see that the given_name claim isn't added to the

session.assigned.oauth.authz.userinfo.claim_data

session variable.

May  1 15:28:33 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:bd525cb7: Session variable 'session.assigned.oauth.authz.userinfo.claim.given_name' set to 'Niels'
May  1 15:28:33 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:bd525cb7: Session variable 'session.assigned.oauth.authz.userinfo.claim.test_claim' set to 'Niels'
May  1 15:28:33 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:bd525cb7: Session variable 'session.assigned.oauth.authz.userinfo.claim_data' set to '"test_claim": "Niels"'
May  1 15:28:33 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:bd525cb7: Session variable 'session.assigned.oauth.authz.userinfo.claims' set to 'given_name test_claim'

Niels_van_Sluis · ‎02-May-2019

Okay, what I found out is that claims like

given_name

and

name

are part of a defined scope named

profile

(See section 5.4 of https://openid.net/specs/openid-connect-core-1_0.htmlUserInfoResponse). So the Authorization Server will only pass these claims when the Resource Owner (end-user) grants access to the

profile

scope.

This is what I had to do to get it working:

create a scope named
```
profile
```

add scope OAuth Authorization agent in the VPE

The

given_name

claim is now also shown in the

session.assigned.oauth.authz.userinfo.claim_data

session variable. See below.

May  2 12:51:20 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:a78f6aa7: Session variable 'session.assigned.oauth.authz.userinfo.claim.given_name' set to 'Niels'
May  2 12:51:20 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:a78f6aa7: Session variable 'session.assigned.oauth.authz.userinfo.claim.test_claim' set to 'Niels'
May  2 12:51:20 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:a78f6aa7: Session variable 'session.assigned.oauth.authz.userinfo.claim_data' set to '"given_name": "Niels", "test_claim": "Niels"'
May  2 12:51:20 nielsvs-bigip info apmd[14875]: 01490007:6: /Common/ap_oauth_openid_connect_authorization_server:Common:a78f6aa7: Session variable 'session.assigned.oauth.authz.userinfo.claims' set to 'given_name test_claim'

DevCentral

OAuth 2.0, OpenID Connect and claims

MFA required on DevCentral