Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ID Token does not contain user claims #449

Open
mael-lg opened this issue Aug 29, 2014 · 8 comments
Open

ID Token does not contain user claims #449

mael-lg opened this issue Aug 29, 2014 · 8 comments

Comments

@mael-lg
Copy link

mael-lg commented Aug 29, 2014

When an ID Token is created from OAuth2\OpenID\Controller\AuthorizeController, the buildAuthorizeParametersfunction generate an ID Token wich does not include user claims.

Is this behavior normal?
@mael-lg
Copy link
Author

mael-lg commented Aug 29, 2014

After some tests, it seems that claims are included in the ID token only in some cases...

When the authorize request set response_type=code or reponse_type=token id_token, there are no user claims in the ID Token but when response_type=id_token, claims are included in the ID Token...

@bshaffer
Copy link
Owner

bshaffer commented Sep 2, 2014

This definitely sounds like a bug, thanks for filing the issue and I will investigate further.

@mael-lg
Copy link
Author

mael-lg commented Sep 5, 2014

If it can help...
To fix it, I've overrided The method createDefaultAuthorizeController of the class OAuth2\Server and I replaced :

if ($this->config['use_openid_connect']) {
    return new OpenIDAuthorizeController($this->storages['client'], $this->responseTypes, $config, $this->getScopeUtil());
}

by :

if ($this->config['use_openid_connect']) {
    return new OpenIDAuthorizeController($this->storages['client'],$this->storages['public_key'], $this->responseTypes, $config, $this->getScopeUtil());
}

I've implemented a extend constructor in OAuth2\OpenID\Controller\AuthorizeController wich has a OAuth2\Storage\PublicKeyInterface as parameter.

And then, I've changed the buildAuthorizeParameters function :

if ($this->needsIdToken($this->getScope()) && $this->getResponseType() == self::RESPONSE_TYPE_AUTHORIZATION_CODE) {
            $params['id_token'] = $this->responseTypes['id_token']->createIdToken($this->getClientId(), $user_id, $this->nonce);
}

with :

if ($this->needsIdToken($this->getScope()) && $this->getResponseType() == self::RESPONSE_TYPE_AUTHORIZATION_CODE) {
            $userClaims = $this->publicKeyStorage->getUserClaims($user_id, $params['scope']); 
            $params['id_token'] = $this->responseTypes['id_token']->createIdToken($this->getClientId(), $user_id, $this->nonce, $userClaims); 
}

@bshaffer
Copy link
Owner

This helps tremendously. Thank you.

@bojanz
Copy link
Contributor

bojanz commented Dec 26, 2014

This was intentional. If a response type results in an access token being returned, the application can get fresher user information by using the access token to ping an endpoint.
If no access token was returned, we have no choice but to provide the data in id_token, accepting that it can get stale while it is passed around.

@mael-lg
Copy link
Author

mael-lg commented Jan 5, 2015

if I understand correctly, the id_token contains user claims only in this case : response_type=id_token (which is the only case which does not include in the response a way to get an access_token) ?

@justingreerbbi
Copy link

@mael-lg Could you provide your snippet of extending the constructor for OAuth2\OpenID\Controller\AuthorizeController?

@justingreerbbi
Copy link

I wanted to chime in here and give a better solution. The class AuthorizeController already stores the property clientStorage object.

In the buildAuthorizeParameters method replace
if ($this->needsIdToken($this->getScope()) && $this->getResponseType() == self::RESPONSE_TYPE_AUTHORIZATION_CODE) { $params['id_token'] = $this->responseTypes['id_token']->createIdToken($this->getClientId(), $user_id, $this->nonce); }

with

if ($this->needsIdToken($this->getScope()) && $this->getResponseType() == self::RESPONSE_TYPE_AUTHORIZATION_CODE) { $userClaims = $this->clientStorage->getUserClaims($user_id, $params['scope']); $params['id_token'] = $this->responseTypes['id_token']->createIdToken($this->getClientId(), $user_id, $this->nonce, $userClaims); }

That will return the claims as with the ID Token as expected. Hope this helps.

@ghost ghost mentioned this issue Sep 19, 2016
Closed
@A-Shevchenko A-Shevchenko mentioned this issue Nov 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bshaffer @bojanz @justingreerbbi @mael-lg