[OPENAM-13082] Address claim in default OIDC claims script outputs non-spec compliant format Created: 14/May/18  Updated: 21/Apr/20  Resolved: 23/May/18

Status: Resolved
Project: OpenAM
Component/s: oauth2, scripting
Affects Version/s: 5.5.1, 6.0.0
Fix Version/s: 6.0.0.2, 6.5.0, 6.0.1, 5.5.2

Type: Bug Priority: Major
Reporter: Andy Itter Assignee: Sean ONeill [X] (Inactive)
Resolution: Fixed Votes: 0
Labels: AME, Must-Fix, TESLA
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Target Version/s:
Rank: 1|hzvy0v:
Needs backport:
Yes
Support Ticket IDs:
Verified Version/s:
Needs QA verification:
No
Functional tests:
No
Are the reproduction steps defined?:
Yes and I used the same an in the description

 Description   

Bug description

The 'address' claim resolver mapping code in the default OIDC claims script results in a non-spec compliant format as demonstrated when accessing the userinfo endpoint. 

This also has the side-effect of causing a display problem with the consent page.

Currently the script contains this:

"address": { claim, identity -> [ "formatted" : userProfileClaimResolver("postaladdress", claim, identity) ] },   

How to reproduce the issue

1). Set up an AM OIDC environment where the address scope is requested and populated.

2). Access the userinfo endpoint and verify the current response format for address.

Expected behaviour
{ 
"address": {
  "formatted": "123 a street"
 },
 "given_name": "demo",
 "family_name": "demo",
 "name": "demo",
 "sub": "demo"
}
Current behaviour
{
 "formatted": {
  "address": "123 a street"
 },
 "given_name": "demo",
 "family_name": "demo",
 "name": "demo",
 "sub": "demo"
}

Work around/adjustment to the OIDC claims script

Edit the OIDC claims script and add the following section:

addressClaimResolver = { identity ->
    return [
      "formatted" : fromSet("postaladdress", identity.getAttribute("postaladdress")),
      "street_address": "",
      "locality": "",
      "region" : "",
      "postal_code": "",
      "country" : ""
    ]
}

Note that this includes the rest of the fields from the OIDC spec (unimplemented) - delete or complete these as desired.  Reference: http://openid.net/specs/openid-connect-core-1_0.html#AddressClaim

...and then adjust the existing address line in the claimAttributes section so that it becomes:

"address": { claim, identity -> [ "address": addressClaimResolver(identity)] },

This should give the following output from the userinfo endpoint:

{
 "address": {
  "formatted": "123 a street",
  "street_address": "",
  "locality": "",
  "region": "",
  "postal_code": "",
  "country": ""
 },
 "given_name": "demo",
 "family_name": "demo",
 "name": "demo",
 "sub": "demo"
}

...or like this if the other fields from the addressClaimResolver part of the script are removed:

{
 "address": {
  "formatted": "123 a street"
 },
 "given_name": "demo",
 "family_name": "demo",
 "name": "demo",
 "sub": "demo"
}

Note that this adjustment will also allow the consent page to display correctly.



 Comments   
Comment by Ľubomír Mlích [ 14/Jun/18 ]

Is there AM documentation with example how to use "Access the userinfo endpoint" ?

Comment by Ľubomír Mlích [ 15/Jun/18 ]

Reproduced in ForgeRock Access Management 6.0.0.1 Build e149ecbb9b (2018-May-23 20:06)

Verified in ForgeRock Access Management 6.0.0.2 Build 3a1761ce2e (2018-June-12 22:40)

Verification steps:

  1. install AM
  2. create openid service
  3. add home address to demo user
  4. install https://github.com/ForgeRock/openid
  5. configure oauth2 client according to openid instructions
  6. add address scope to openid/basic.html file
  7. try openid Basic Client Profile (login, allow access and check decoded id content if there is address)
Generated at Sat Mar 06 02:35:22 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.