Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-17698

Make claims on request object configurable

    XMLWordPrintable

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • OpenID Connect
    • Rank:
      1|hzjsia:400000002
    • 70

    Description

      An OIDC RP can request certain claims from the OP. See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest for list of OIDC request parameters that could be configured on a request object. AM as an RP does not support this, we would need to add a configuration option(s) on the Social Identity Provider configuration that would allow an admin to configure the claims the RP should request.

      To clarify the term "claims", it has a dual meaning when it comes to request objects - first of all, a request object is a JWT and so any property within the JWT's payload can be consider a claim. With OIDC, however, there is also the "claims parameter" (https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter which is a way for an RP making an authentication request to ask for additional "claims" about the user on whose behalf the RP is performing the authentication, and/or authentication process itself, which will be presented in the id_token and/or userinfo response, upon successful authentication. 

      It should be noted that the "claims" property MAY contain non spec entries that both the RP and OP agree to, as can the request object as a whole, so ideally this flexibility should be accounted for in the configuration of the request object on the social ID providers page.
       
      Acceptance Criteria

      • Userinfo claims can be configured via social IDP and included in a request object
      • IdToken claims can be configured via social IDP and included in a request object
      • Custom claims can be configured via social IDP and included in a request object

      Attachments

        Activity

          People

            Unassigned Unassigned
            michael.carter Michael Carter [X] (Inactive)
            Votes:
            2 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated: