[OPENAM-13082] Address claim in default OIDC claims script outputs non-spec compliant format Created: 14/May/18 Updated: 21/Apr/20 Resolved: 23/May/18
|Affects Version/s:||5.5.1, 6.0.0|
|Fix Version/s:||18.104.22.168, 6.5.0, 6.0.1, 5.5.2|
|Reporter:||Andy Itter||Assignee:||Sean ONeill [X] (Inactive)|
|Labels:||AME, Must-Fix, TESLA|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
|Support Ticket IDs:|
|Needs QA verification:||
|Are the reproduction steps defined?:||
Yes and I used the same an in the description
The 'address' claim resolver mapping code in the default OIDC claims script results in a non-spec compliant format as demonstrated when accessing the userinfo endpoint.
This also has the side-effect of causing a display problem with the consent page.
Currently the script contains this:
1). Set up an AM OIDC environment where the address scope is requested and populated.
2). Access the userinfo endpoint and verify the current response format for address.
Edit the OIDC claims script and add the following section:
Note that this includes the rest of the fields from the OIDC spec (unimplemented) - delete or complete these as desired. Reference: http://openid.net/specs/openid-connect-core-1_0.html#AddressClaim
...and then adjust the existing address line in the claimAttributes section so that it becomes:
This should give the following output from the userinfo endpoint:
...or like this if the other fields from the addressClaimResolver part of the script are removed:
Note that this adjustment will also allow the consent page to display correctly.
|Comment by Ľubomír Mlích [ 14/Jun/18 ]|
Is there AM documentation with example how to use "Access the userinfo endpoint" ?
|Comment by Ľubomír Mlích [ 15/Jun/18 ]|
Reproduced in ForgeRock Access Management 22.214.171.124 Build e149ecbb9b (2018-May-23 20:06)
Verified in ForgeRock Access Management 126.96.36.199 Build 3a1761ce2e (2018-June-12 22:40)