• Sprint:
      AM Sustaining Sprint 60, AM Sustaining Sprint 61
    • Story Points:
    • Needs backport:
    • Support Ticket IDs:
    • Needs QA verification:
    • Functional tests:
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description


      Bug description

      typo and wrong method call in

      How to reproduce the issue

      Basic steps on how to setup remote consent service is described in OAuth2 Guide :

      NOTE: you need to enable `Enable "claims_parameter_supported"` parameter on [Advanced OpenID Connect] tab under OAuth2Provider

      After setting up remote consent service, you need to add claims request parameter to authorize request

      /authorize endpoint will then redirect the request to

      When you decode this JWT string, you will notice that
      1. claims attribute contains `user_info` instead of `userinfo`
      2. userinfo claims are overwritten by what was in id_token claim request

      "claims":{"user_info":{"email":{"essential":true}},"id_token":{"email":{"essential":true}}},  <--- HERE

      Note that consentApprovalRedirectUri contains the correct information. So when the user access /userinfo endpoint, user will get the correct claims.

      Expected behaviour
      claim should return userinfo rather than user_info and contents should return user info rather than what's defined under id_token claim request
      Current behaviour
      claim is returned as "user_info" and contents are that of id_token claim request
      Code Analysis

      There's a typo in the 'user_info', this should be 'userinfo'. The foreach for putting data into the userInfoClaims actually uses the getIdTokenClaims() in stead. I think it should be like this:

          public Map<String, Object> asMap() {
              Map<String, Object> claims = new HashMap<>();
              if (!getIdTokenClaims().isEmpty()) {
                  Map<String, Object> idTokenClaims = new HashMap<>();
                  for (Claim claim : getIdTokenClaims().values()) {
                      idTokenClaims.put(claim.getNameWithLocale(), claim.asMap());
                  claims.put("id_token", idTokenClaims);
              if (!getUserInfoClaims().isEmpty()) {
                  Map<String, Object> userInfoClaims = new HashMap<>();
                  for (Claim claim : getIdTokenClaims().values()) {
                      userInfoClaims.put(claim.getNameWithLocale(), claim.asMap());
                  claims.put("user_info", userInfoClaims);
              return claims;

      The only place using this asMap() is in the 



          Issue Links



              • Assignee:
                sachiko Sachiko Wallace
       Mark Nienaber
              • Votes:
                0 Vote for this issue
                2 Start watching this issue


                • Created: