[OPENAM-13082] Address claim in default OIDC claims script outputs non-spec compliant format Created: 14/May/18 Updated: 21/Apr/20 Resolved: 23/May/18 |
|
| Status: | Resolved |
| Project: | OpenAM |
| Component/s: | oauth2, scripting |
| Affects Version/s: | 5.5.1, 6.0.0 |
| Fix Version/s: | 6.0.0.2, 6.5.0, 6.0.1, 5.5.2 |
| Type: | Bug | Priority: | Major |
| Reporter: | Andy Itter | Assignee: | Sean ONeill [X] (Inactive) |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | AME, Must-Fix, TESLA | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Target Version/s: | |
| Rank: | 1|hzvy0v: |
| Needs backport: |
Yes
|
| Support Ticket IDs: | |
| Verified Version/s: | |
| Needs QA verification: |
No
|
| Functional tests: |
No
|
| Are the reproduction steps defined?: |
Yes and I used the same an in the description
|
| Description |
Bug descriptionThe 'address' claim resolver mapping code in the default OIDC claims script results in a non-spec compliant format as demonstrated when accessing the userinfo endpoint. This also has the side-effect of causing a display problem with the consent page. Currently the script contains this: "address": { claim, identity -> [ "formatted" : userProfileClaimResolver("postaladdress", claim, identity) ] }, How to reproduce the issue1). Set up an AM OIDC environment where the address scope is requested and populated. 2). Access the userinfo endpoint and verify the current response format for address. Expected behaviour{
"address": {
"formatted": "123 a street"
},
"given_name": "demo",
"family_name": "demo",
"name": "demo",
"sub": "demo"
}
Current behaviour{
"formatted": {
"address": "123 a street"
},
"given_name": "demo",
"family_name": "demo",
"name": "demo",
"sub": "demo"
}
Work around/adjustment to the OIDC claims scriptEdit the OIDC claims script and add the following section:
addressClaimResolver = { identity ->
return [
"formatted" : fromSet("postaladdress", identity.getAttribute("postaladdress")),
"street_address": "",
"locality": "",
"region" : "",
"postal_code": "",
"country" : ""
]
}
Note that this includes the rest of the fields from the OIDC spec (unimplemented) - delete or complete these as desired. Reference: http://openid.net/specs/openid-connect-core-1_0.html#AddressClaim ...and then adjust the existing address line in the claimAttributes section so that it becomes: "address": { claim, identity -> [ "address": addressClaimResolver(identity)] }, This should give the following output from the userinfo endpoint:
{
"address": {
"formatted": "123 a street",
"street_address": "",
"locality": "",
"region": "",
"postal_code": "",
"country": ""
},
"given_name": "demo",
"family_name": "demo",
"name": "demo",
"sub": "demo"
}
...or like this if the other fields from the addressClaimResolver part of the script are removed:
{
"address": {
"formatted": "123 a street"
},
"given_name": "demo",
"family_name": "demo",
"name": "demo",
"sub": "demo"
}
Note that this adjustment will also allow the consent page to display correctly. |
| Comments |
| Comment by Ľubomír Mlích [ 14/Jun/18 ] |
|
Is there AM documentation with example how to use "Access the userinfo endpoint" ? |
| Comment by Ľubomír Mlích [ 15/Jun/18 ] |
|
Reproduced in ForgeRock Access Management 6.0.0.1 Build e149ecbb9b (2018-May-23 20:06) Verified in ForgeRock Access Management 6.0.0.2 Build 3a1761ce2e (2018-June-12 22:40) Verification steps:
|