I have following claim configuration in SP (note http://wso2.org/claims/role has been added)
role claim in http://wso2.org/claims dialect as follows
Now I have added the mapping "Role" claim to http://wso2.org/oidc/claim dialect which has same Mapped Attribute (role)
Then added the "roles" claim uri to the openid scope defined in registry at /_system/config/oidc
But still I can not get any roles by accessing userinfo EP.
curl -k -H "Authorization: Bearer 7f5b531c-f1d9-3775-8de8-30acf09e8673" https://localhost:9443/oauth2/userinfo?schema=openid
returns
{"sub":"admin#carbon.super","name":"admin","family_name":"admine","email":"adminvvvvvv#wso2.com"}
Can anybody point out if I missed anything?
You are missing to tick "support by default" option in step-03. You can find more details here [1].
[1] http://workaroundz.blogspot.com/2016/10/define-custom-claims-for-openid-connect.html
Related
we are moving WSO2 API from 3.1 to 4.1.
In 3.1 we are getting user profile all claims in X-JWT-Assertion header
But 4.1 we are not getting all claims. we are seeing only default claims.
can you help us how to get all claims.?
You can follow these steps.
Create an application in the devportal.
When you generate consumer key and secret in the devportal for this application, it creates the service provider underneath. This service provider will be available when you logged into the carbon console.
Click on the service provider and configure the claims under claim configuration. You can provide the required claims here as shown in the screenshot.
Update the user profile as in https://is.docs.wso2.com/en/latest/guides/identity-lifecycles/update-profile/
Use the openid scope when generating the access token.
curl -k -X POST https://localhost:9443/oauth2/token -d
"grant_type=password&username=admin&password=admin&scope=openid" -H
"Authorization: Basic Base64Encoded(ck:cs)"
When the gateway generates the backend jwt, it adds the claims from the access token.
I'm using WSO2 Identity Server version 5.10
I'm facing a strange behaviour. I configured some external IdPs (SAML2 based)
I configured claims returned by these IdPs with WSO2IS local claims. For example, let's suppose that my external IdP returns these SAML attribute name:
a, b and c I configured claim in this way:
External IdP Claim configuration
Identity Provider Claim URI
Local Claim URI
a
http://wso2.org/address
b
http://wso2.org/givenname
c
http://wso2.org/lastname
Then I defined a custom claim dialect in this way; let's call it custom_claim_dialect. I defined in it my claim mapping in this way:
Custom claim dialect
Dialect URI
Claim URI
Mapped Local Claim
custom_claim_dialect
a
http://wso2.org/address
custom_claim_dialect
b
http://wso2.org/givenname
custom_claim_dialect
c
http://wso2.org/lastname
Then I defined a Service Provider (Inbound configuration: SAML2 Web SSO) and I configured it by using these external IdPs
In my Service Provider I configured my claims by adding the custom dialectby specifying it in Service Provider Claim Dialect
Then I tried the access the access to the Service Provider. All worked pretty good just only the first time.
WSO2IS asks to me the consent for the claims and I can land on my authenticated page.
When I close the browser and clent cookies and I try again the access. All works good (no consent ask is showed by WSO2IS) but when I land on my private page no
attribute is contained in the SAML Response.
If i configure my ServiceProvider with WSO2IS local claims, all works good.
Is this correct? Am I missing anything?
Thank you
Angelo
UPDATE
I'm pretty sure it's a kind of bug.
I debugged till the class org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler
The org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler.handleClaimMappings(StepConfig, AuthenticationContext, Map<String, String>, boolean) returns the correct claims Map In fact I printed the following log:
INFO {org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler} - Returning filtered claims {familyName=Surname, name=Example, dateOfBirth=1980-01-01, spidCode=ABCD123456789A, fiscalNumber=TINIT-SRNXPL80A41A662G, MultiAttributeSeparator=,} to SP mySP
In some point during the process WSO2 IS decides that this Map must not be used.
Any tip?
UPDATE 2
This picture shows how I configure my SP claims. As you can see I'm using a defined custom claim. When I define custom claim, I can't make claims mandatory
Did u try making these claims mandatory on the IS SP side? Making claims mandatory will ensure that u always receive the claim for the applications.
If caching is the problem then u can try to JIT provision the user[1]. This way we can save the claims from FIDP on the IS side. "Provision silently" is an easy option to check.
[1] https://is.docs.wso2.com/en/latest/learn/configuring-just-in-time-provisioning-for-an-identity-provider/
I called this revisited since there are existing questions under the same title. These indicate that the problem described would be solved starting from IS V5.3.
However I am using IS V5.7.0 and still have the problem that my userinfo call only returns something like {"sub":"Peter"} or an email address if so configured as " Subject Claim URI" under my SP.
Whatever I do with "local claim" settings seems to have no effect in this scenario.
In short it is a complete mystery to me on how to acquire more than a single attribute value from an open id connect call to ws02 IS.
All help appreciated
Thanks Peter
There was an issue already reported for versions below IS 5.3.0 and it was fixed with IS5.3.0 onwards. Please check the Jira here. I was able to invoke the userinfo endpoint in IS5.7.0 and able to get the claims successfully.
Sample request:
curl --location --request GET 'https://localhost:9443/oauth2/userinfo?scope=openid' \
--header 'Authorization: Bearer 7ca4671f-ab55-33b2-978e-b0795dacc1ef'
So please verify the following things.
Response:
{
"country": "SL",
"sub": "piraveena",
"email": "piraveena#wso2.com"
}
So please verify the following things.
Check whether you have configured those claims under claim configuration in the service provider.
Only the claims listed under openid scope will be returned from userinfo endpoint. Also please make sure that those claims are added into openid scope. In the management console, Navigate to Manage > OIDC Scopes > List > Openid and check whether the requested claim from the SP is listed under the openid scope. Please check this documentation for configuring adding claims in openid scope
Also verify whether the authenticated user has those relevant attributes in his user profile
Also please check whether you were able to get the claims in id_token. If you have not configured the above steps properly, then you won't be able to get those claims in id_token as well.
I'm trying to config a service provider of WSO Identity Server v5.7.0 in order to export the UUID & roles of a user as part of JWT token. I've done like this but only roles are exported. UUID is not shown.
local claim:http://wso2.org/claims/userid. mandatory claim: yes
local claim:http://wso2.org/claims/role. mandatory claim: yes
Steps:
In wso2 is admin console->main tab->locate the service provider I've created.
In "claim configuration", I choose "use local claim dialect"; 3. In "Requested Claims" I Add Claim URI.
I've add "wso2.org/claims/userid" & "wso2.org/claims/role" and both of them are marked "mandatory claim"
After saving it. I use curl -u kbxx:Vyy -k -d "grant_type=password&username=youfa.mao&password=x&scope=openid" -H "Content-Type:application/x-www-form-urlencoded" xxx:yyy/oauth2/token to get the JWT token;
Only roles are in the token. The user UUID is not found
In WSO2 Identity Server password grant type issue id_token(JWT) by adhering to OIDC core specification. In order to get a user claim in JWT you should have a mapping between wso2 claims(http://wso2.org/claims) and OIDC claims ( http://wso2.org/oidc/claim ). For role claim this mapping is already there where http://wso2.org/role map to groups claim in OIDC dialect.
Please follow below steps in addition to what you did to get userid claim in id_token(JWT)
Add userid to OIDC claim dialect
Dialect URI: http://wso2.org/oidc/claim
Claim URI: userid
Mapped Local Claim: http://wso2.org/claim/userid
From management console UI "OIDC Scopes" add userid claim to openid scope.
You need to map wso2 claims to OIDC claims in order to achieve this. blog, blog section 6 with claim configuration will help you to understand how to add wso2 claim mappings.
In WSO2 IS admin console, we are trying to set the user claims for a service provider under 'Claim Configuration'.
We selected the Claim mapping Dialect as 'Define Custom Claim Dialect' and added Local claims as :
http://wso2.org/claims/givenname
http://wso2.org/claims/lastname
http://wso2.org/claims/emailaddress
But when we perform a curl with /oauth2/userinfo, it just gives us last name and email. But first name is not being returned.
Returned User Info:
{"sub":"abc#carbon.super","family_name":"abcFN","email":"abc#abc.com"}
Any pointers for the issue will be helpful.
There is actually an error in the mapping of the given name attribute between the oidc claim and the wso2 claim :
In the management console, go to Home > Identity > Claims > List > claim.view
Click on http://wso2.org/oidc/claim in the Available Claims Dialect list
Change the mapping for given_name to Mapped Local Claim : http://wso2.org/claims/givenname
In order to get the first name through user info endpoint,you should have an OIDC claim mapping with http://wso2.org/claims/givenname.
Could you please check whether your given_name claim under oidc dialect has a mapping with http://wso2.org/claims/givenname.