I try to use https://myidentity/oauth2/userinfo for extract information about the logged user, but only returns one field
{
"sub": "username"
}
I have complete mapped fields from http://wso2.org/claims/photo to http://wso2.org/claims/oidc/photo
What can i do?
Since the claims that you are requesting are on the local claim dialect you can use the local claim dialect for requesting claims. Please refer to the official documentation for more information1
1.https://is.docs.wso2.com/en/5.9.0/learn/configuring-claims-for-a-service-provider/
Related
I'm trying to config a service provider of WSO Identity Server v5.7.0 in order to export the UUID & roles of a user as part of JWT token. I've done like this but only roles are exported. UUID is not shown.
local claim:http://wso2.org/claims/userid. mandatory claim: yes
local claim:http://wso2.org/claims/role. mandatory claim: yes
Steps:
In wso2 is admin console->main tab->locate the service provider I've created.
In "claim configuration", I choose "use local claim dialect"; 3. In "Requested Claims" I Add Claim URI.
I've add "wso2.org/claims/userid" & "wso2.org/claims/role" and both of them are marked "mandatory claim"
After saving it. I use curl -u kbxx:Vyy -k -d "grant_type=password&username=youfa.mao&password=x&scope=openid" -H "Content-Type:application/x-www-form-urlencoded" xxx:yyy/oauth2/token to get the JWT token;
Only roles are in the token. The user UUID is not found
In WSO2 Identity Server password grant type issue id_token(JWT) by adhering to OIDC core specification. In order to get a user claim in JWT you should have a mapping between wso2 claims(http://wso2.org/claims) and OIDC claims ( http://wso2.org/oidc/claim ). For role claim this mapping is already there where http://wso2.org/role map to groups claim in OIDC dialect.
Please follow below steps in addition to what you did to get userid claim in id_token(JWT)
Add userid to OIDC claim dialect
Dialect URI: http://wso2.org/oidc/claim
Claim URI: userid
Mapped Local Claim: http://wso2.org/claim/userid
From management console UI "OIDC Scopes" add userid claim to openid scope.
You need to map wso2 claims to OIDC claims in order to achieve this. blog, blog section 6 with claim configuration will help you to understand how to add wso2 claim mappings.
In WSO2 IS admin console, we are trying to set the user claims for a service provider under 'Claim Configuration'.
We selected the Claim mapping Dialect as 'Define Custom Claim Dialect' and added Local claims as :
http://wso2.org/claims/givenname
http://wso2.org/claims/lastname
http://wso2.org/claims/emailaddress
But when we perform a curl with /oauth2/userinfo, it just gives us last name and email. But first name is not being returned.
Returned User Info:
{"sub":"abc#carbon.super","family_name":"abcFN","email":"abc#abc.com"}
Any pointers for the issue will be helpful.
There is actually an error in the mapping of the given name attribute between the oidc claim and the wso2 claim :
In the management console, go to Home > Identity > Claims > List > claim.view
Click on http://wso2.org/oidc/claim in the Available Claims Dialect list
Change the mapping for given_name to Mapped Local Claim : http://wso2.org/claims/givenname
In order to get the first name through user info endpoint,you should have an OIDC claim mapping with http://wso2.org/claims/givenname.
Could you please check whether your given_name claim under oidc dialect has a mapping with http://wso2.org/claims/givenname.
I have added a local custom claim namely http://wso2.org/claims/fg_imprenditore to http://wso2.org/claims dialect and mapped it on a custom primary user store attribute (JDBC user store).
The custom claim appears in the user profile and I can set/update the value correctly.
I have defined a new service provider and added the custom claim in Claim Configuration -> Use Local Claim Dialect.
In addition I have edited /_system/config/oidc and modified the openid property to include the new claim as follows: sub,...,street,http://wso2.org/claims/fg_imprenditore
Now the issues.
I ask a JWT Token from a javascript client with the following request:
http://**********/?response_type=id_token&client_id=" + "f8SatEWpyi1qvPLVspsDfTbefm0a" + "&scope=openid&redirect_uri=http://localhost:3000/oauth_callback.html&nonce=" + nonce
After login the WSO2is server prompts the following message (even if the attribute is already present in the profile): You are trying to login to **** application, but it needs following information filled in the user profile. You can fill those below and proceed with the authentication. But it is advised to fill these information in your Identity Provider profile in order to avoid this step every time you login.
If I fill the field (correctly) labeled "http://wso2.org/claims/fg_imprenditore" I can proceed. In any case the claim is not returned in the JWT Token.
In addition if I go in the user profile the attribute is set correctly (with the new value!) but if I try to authenticate again I need to fill the attribute again..
Many thanks for the support.
If you don't mark the claim as mandatory on your Service Provider it shouldn't request it when you try to log in. Also, in order for the jwt to contain your custom claim you need to map the custom claim to a new custom claim under the oauth dialect, and then map the new oauth claim under the oidc scope you use. It took me a while to get it too as there isn't sufficient documentation describing these steps. Hope this solves your issue.
This happens because "http://wso2.org/claims/fg_imprenditore" claim is not mapped to any oidc claims in WSO2 IS. Do the following in get rid of the issue.
Go to List under Claims in IS Management Console Main tab.
Click on http://wso2.org/oidc/claim
Add new claim with the name fg_imprenditore in oidc claim dialect. You will see a drop down to select "Mapped Local Claim". Map it to http://wso2.org/claims/fg_imprenditore. (Check "Add External Claim" section in this)
Save new oidc claim and try again.
In some previous WSO2IS versions, there was a default self sign-up feature.
However, I could not find it in the 5.0 version.
Reading the WSO2IS 5.0 documentation, what I have found is 2 APIs used for this feature:
getUserIdentitySupportedClaims() - Set of claims to which the user profile details should be saved in the Identity Server.
registerUser() - This registers a user in the system. You need to pass values like user name, password, claim attributes and values returned from the previous call and the tenant domain. The confirmation code is sent by email to the given email address.
So, the self sign-up feature is hidden somewhere OR do I need to implement it by myself?
And is there any example of using APIs for this feature?
Thank you.
This is available in the dashboard:
https://<url>:9443/dashboard/
You can use the following service for signing up users:
https://<url>:9443/services/UserInformationRecoveryService?wsdl
Note that in WSO2 products, admin services WSDL's are hidden by default. You can expose them by setting HideAdminServiceWSDLs parameter to 'false' in <IS>/repository/conf/carbon.xml.
After performing the authentication against the WSO2 IS 5.0.0 and negotiating the access token, I perform a call to the userinfo endpoint:
https://:9443/oauth2/userinfo?schema=openid
It answers correctly with a JWT, but using always the dialect http://wso2.org/oidc/claim even if another dialect is configured in the in the identity.xml (for example http://wso2.org/claims)
It seems like the userinfo endpoint ignores the dialect configuration. Does anybody else has faced this problem?
Is it a bug or am I missing something?
I think this is not a bug. because by default Openid claim dialect returns userinfo(oidc) according to the Openid Specification.WSO2 uses default claim dialect to retrieve userinfo as wso2 calim dialect. But this wso2 claim dialect should be mapped with OpenID claim dialect (http://wso2.org/oidc/claim).
If you want to retrieve userinfo additional than default info, you need to map "http://wso2.org/claims" attributes with "http://wso2.org/oidc/claim”. Otherwise it returns by default mapped properties only ("phone_number", "email", "family_name" and "country").
Below steps are to retrieve ‘mobile’ as a claim though it is not configured as default
Go to the "Claim Management" under "Configure" tab.
Then click "http://wso2.org/oidc/claim" and check whether this "Mobile" claim is available or not.
If it is not available, you need to add New Claim mapping.
If this "Mobile" claim is already exist, you need to check whether that mapped attribute is equal with "http://wso2.org/claims/mobile" Mobile mapped attribute.
(Note:http://wso2.org/oidc/claim particular mapped attribute should be equal with your http://wso2.org/claims particular claim attribute).
Like this you can map "http://wso2.org/claims" particular claims with "http://wso2.org/oidc/claim" claims.