Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
440 views
in Technique[技术] by (71.8m points)

wso2is - WSO2 IS: OpenID Connect custom claims in 5.2.0?

I have installed WSO2 IS 5.2.0 and I have problem to retrieve custom created claims.

I've added new claims to dialect http://wso2.org/claims and I also added new claims that map the same attribute to dialect http://wso2.org/oidc/claim that worked with version 5.1.0 but in version 5.2.0 not working.

All fields are present in database attribute table. I am using Oauth2 OpenID connect userInfo for fetching user data.

Here is claims configuration for my Service Provider: enter image description here

With this configuration in 5.1.0 I got all requested claims from image, but in 5.2.0 I get only claims that are not custom - that was already present in both dialects by default.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

The reason for this behaviour is the introduction of OpenIDConnect claim scopes in 5.2.0. So basically when you are requesting for a OIDC token you can specify a scope value that is bound to a set of claims. So when you send that OIDC token to the userinfo endpoint only those claims which are common in both OIDC scope config and SP claim configuration (ie. intersection of claim in both these configs) will be returned.

Let's take an example, consider the default required scope need to get an OIDC token which is 'openid'

openid scope is bound to the following schemes.

sub, email, email_verified, name, family_name,given_name,middle_name,nickname,preferred_username,profile,picture,website,gender,birthdate,zoneinfo,locale,updated_at,phone_number,phone_number_verified,address,street

(you can configure this using 'oidc' file found in the registry at /_system/config/oidc)

enter image description here

So in your case please add the custom claims slotCentreURL,role, slotCentre into the mapped claims for this scope by editing the oidc file.

enter image description here

Alternatively you can add a new scope say 'customSPScope1' with claims that you need, send it when getting the OIDC token in addition to the mandatory openid scope.

You also need to configure the required claims at Service Provider configuration. The logic here is that only the intersection of claims configured at OIDC scope level and claims configured at SP level are returned.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...