Issues seen during OP claimPropagation testing #20101
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Seeing some "things" while testing OP claim propagation.
Setup (request flow):
Scenario A: RP (OIDC) client -> OP with embedded RP that redirects authorization requests to an External OP
or
Scenario B: Social (oidcLogin) client -> OP with embedded RP that redirects authorization requests to an External OP
Group1 is LDAPUser1's group in the external OP
GroupA is LDAPUser1's group in the intermed OP
Both scenarios
(scenario A with rp client config specified with grantType="implicit", scenario B with social client config specified with responseType="id_token token")
thirdPartyIDTokenClaims is NOT included in the OP config
The groupIds value found in the subject as well as the id_token is the value returned from the external OP. (When flow is authorization code, the value is from the intermediate OP or does not exist (depending up the existence a group in the intermed OP, ...)
Should the groupIds value be different depending on the flow type?
With scenario B, and responseType="code", the subject does not contain the id_token (the same flow using an RP does contain the id_token)
With scenario B, and responseType="code", the subject does not contain the groupIds value. (I've included the groupNameAttribute="groupIds" and get some odd variation of the intermed server's group.
Traces for #1
Intermed server trace (using social client):
implicitFlowUsingSocial.zip
Intermed server trace (using RP):
implicitFlowUsingRP.zip
Traces for #2 and #3
Intermed server trace (using social client):
codeFlowUsingSocial.zip
Intermed server trace (using RP):
codeFlowUsingRP.zip
The text was updated successfully, but these errors were encountered: