Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12412

Multi-valued LDAP attributes are not added to the OIDC id_token as expected



    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 5.5.1
    • 6.0.0, 5.5.2
    • OpenID Connect
    • AM Sustaining Sprint 48, AM Sustaining Sprint 49
    • 3
    • No
    • Yes
    • No
    • Yes and I used the same an in the description


      Bug description

      Multi-valued LDAP attributes are not added to the OIDC id_token as expected.  Only the first value for the attribute is added and the others are discarded.

      How to reproduce the issue

      Simplest scenario:

      1). Install AM 5.5.1

      2). Edit an existing user with an LDAP browser and add the businessCategory attribute to the user.  This is of type OID 1.2.840.113556. which is the Directory String syntax type.  Add multiple values to this attribute for testing purposes.

      3). Edit the default 'OIDC Claims Script' and add businessCategory to this:

      claimAttributes = [
              "email": userProfileClaimResolver.curry("mail"),
              "businessCategory": userProfileClaimResolver.curry("businessCategory"),      

      ...and in the scopeClaimsMap here:

      "profile": [ "given_name", "zoneinfo", "family_name", "locale", "name", "businessCategory" ]

      4). Create an OIDC OAuth2 client in AM named 'test'

      5). Logout and send the following type of request via the browser for verification:


      6). Note the following on the subsequent consent page, all is as expected here:

      Given name: test
      Family name: test
      Full name: test
      businessCategory: [test, test2, test3]

      7). Generate an id_token:

      curl -v --request POST --data "response_type=token%20id_token&scope=profile%20openid%20profile&client_id=test&save_consent=1&decision=Allow&nonce=1234&redirect_uri=http://www.example.com&csrf=VzB6-A5F...9AAJTMQAA*" --cookie "iPlanetDirectoryPro=VzB6-A5F...9AAJTMQAA*" http://openam.example.com:8080/AM551/oauth2/realms/root/authorize

      8). Check the resulting JWT and note the single initial value for businessCategory:

        "at_hash": "pk72qEZl9iK0lglldAyONg",
        "sub": "test",
        "auditTrackingId": "9190bd23-b982-4aa9-8987-444edc410ce3-125960",
        "iss": "http://openam.example.com:8080/AM551/oauth2",
        "tokenName": "id_token",
        "given_name": "test",
        "nonce": "1234",
        "aud": "test",
        "azp": "test",
        "auth_time": 1517840128,
        "name": "test",
        "businessCategory": "test",
        "realm": "/",
        "exp": 1517845401,
        "tokenType": "JWTToken",
        "family_name": "test",
        "iat": 1517841801


      Expected behaviour
      Multiple values for the attribute should be returned
      Current behaviour
      Single value is returned - "businessCategory": "test",





            sachiko Sachiko Wallace
            andy.itter Andy Itter
            0 Vote for this issue
            4 Start watching this issue