[OPENAM-10585] The "claims" Request Parameter from the openid standard isn't functional Created: 09/Feb/17  Updated: 18/Jan/18  Resolved: 08/May/17

Status: Resolved
Project: OpenAM
Component/s: OpenID Connect
Affects Version/s: 13.5.0, 14.0.0
Fix Version/s: 14.1.0, 14.5.0

Type: Bug Priority: Major
Reporter: Quentin CASTEL [X] (Inactive) Assignee: Phill Cunnington
Resolution: Fixed Votes: 0
Labels: AME, Must-Fix
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
is related to OPENAM-11096 Document full OIDC claims support Resolved
is related to OPENAM-10989 Add step up capability with OIDC by a... Open
Target Version/s:
Support Ticket IDs:



OpenAM is currently not responding as described in the standard. Tests with claims in request parameter simply doesn't work at all. It either returns a 500 or ignore the claims send with the request.

How to reproduce

Just try to do the example from the standard, in our functional tests language, it would be:

describe("Using claims request parameter", () -> {
            beforeEach(() -> {

                ClientAndServer mockServer = MockHttpServer.create();
                mockServerUrl = "http://localhost:" + mockServer.getPort();
                redirectUrl = mockServerUrl + "/redirect";

                realm = Realm.create();
                resourceOwner = User.builder().email("toto@toto.com").realm(realm).create(server);
                OAuth2Client.Builder clientBuilder = OAuth2Client.builder()

                client = clientBuilder.create();
            when("asking for extra id token claims", () -> {
                only().it("responds with the claims in the id token", () -> {
                    ClaimsRequest claims = new ClaimsRequest()
                            .addIdTokenClaims(new IndividualClaim("auth_time",  IS_ESSENTIAL_TRUE))
                            .addIdTokenClaims(new IndividualClaim("toto",  new ValueClaimMember("bibi")));

                    FlowRequest request = flowRequest(client).redirectUri(redirectUrl).resourceOwner(resourceOwner)
                    AccessTokenResponse accessTokenResponse = flows.useAuthorizationCodeGrantForAccessToken(request);
                    JWSObject jwsObject = JWSObject.parse(accessTokenResponse.openIdToken.get());

            when("asking for extra user info claims", () -> {
                it("responds with the claims in it", () -> {
                    ClaimsRequest claims = new ClaimsRequest()
                            .addUserInfoClaims(new IndividualClaim("email", IS_ESSENTIAL_TRUE));

                    FlowRequest request = flowRequest(client).redirectUri(redirectUrl).resourceOwner(resourceOwner)
                    AccessTokenResponse accessTokenResponse = flows.usePasswordGrantForAccessToken(request);
                    UserInfoResponse userInfoResponse = flows.useInfo(null, client, realm,
                    assertTrue("User info claims '" + userInfoResponse.getClaims() + "' doesn't contain email",
                    AssertJUnit.assertEquals(userInfoResponse.getClaims().get("email"), resourceOwner.emails);

Expected result

You should get the email claim in the id token and/or the user info endpoint response.


No extra claim

Other kind of output also noticed, if you play a little bit with it

"error_description": "Error running OIDC claims script: java.util.concurrent.ExecutionException: javax.script.ScriptException: javax.script.ScriptException: java.lang.NullPointerException: Cannot invoke method call() on null object",
"state": "af0ifjsldkj",
"error": "not_found"

Resulting of trying to do a userinfo with the azp claim.

Comment by James Phillpotts [ 30/Mar/17 ]

This sounds like it is an issue with the default OpenID Connect Claims script.

Comment by Gabor Melkvi [ 30/Mar/17 ]

Removed TESLA label as no intention to work on in the near future

Generated at Sat Sep 26 00:30:27 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.