After performing the authentication against the WSO2 IS 5.0.0 and negotiating the access token, I perform a call to the userinfo endpoint:
https://:9443/oauth2/userinfo?schema=openid
It answers correctly with a JWT, but using always the dialect http://wso2.org/oidc/claim even if another dialect is configured in the in the identity.xml (for example http://wso2.org/claims)
It seems like the userinfo endpoint ignores the dialect configuration. Does anybody else has faced this problem?
Is it a bug or am I missing something?
I think this is not a bug. because by default Openid claim dialect returns userinfo(oidc) according to the Openid Specification.WSO2 uses default claim dialect to retrieve userinfo as wso2 calim dialect. But this wso2 claim dialect should be mapped with OpenID claim dialect (http://wso2.org/oidc/claim).
If you want to retrieve userinfo additional than default info, you need to map "http://wso2.org/claims" attributes with "http://wso2.org/oidc/claim”. Otherwise it returns by default mapped properties only ("phone_number", "email", "family_name" and "country").
Below steps are to retrieve ‘mobile’ as a claim though it is not configured as default
Go to the "Claim Management" under "Configure" tab.
Then click "http://wso2.org/oidc/claim" and check whether this "Mobile" claim is available or not.
If it is not available, you need to add New Claim mapping.
If this "Mobile" claim is already exist, you need to check whether that mapped attribute is equal with "http://wso2.org/claims/mobile" Mobile mapped attribute.
(Note:http://wso2.org/oidc/claim particular mapped attribute should be equal with your http://wso2.org/claims particular claim attribute).
Like this you can map "http://wso2.org/claims" particular claims with "http://wso2.org/oidc/claim" claims.
Related
I'm using WSO2 Identity Server version 5.10
I'm facing a strange behaviour. I configured some external IdPs (SAML2 based)
I configured claims returned by these IdPs with WSO2IS local claims. For example, let's suppose that my external IdP returns these SAML attribute name:
a, b and c I configured claim in this way:
External IdP Claim configuration
Identity Provider Claim URI
Local Claim URI
a
http://wso2.org/address
b
http://wso2.org/givenname
c
http://wso2.org/lastname
Then I defined a custom claim dialect in this way; let's call it custom_claim_dialect. I defined in it my claim mapping in this way:
Custom claim dialect
Dialect URI
Claim URI
Mapped Local Claim
custom_claim_dialect
a
http://wso2.org/address
custom_claim_dialect
b
http://wso2.org/givenname
custom_claim_dialect
c
http://wso2.org/lastname
Then I defined a Service Provider (Inbound configuration: SAML2 Web SSO) and I configured it by using these external IdPs
In my Service Provider I configured my claims by adding the custom dialectby specifying it in Service Provider Claim Dialect
Then I tried the access the access to the Service Provider. All worked pretty good just only the first time.
WSO2IS asks to me the consent for the claims and I can land on my authenticated page.
When I close the browser and clent cookies and I try again the access. All works good (no consent ask is showed by WSO2IS) but when I land on my private page no
attribute is contained in the SAML Response.
If i configure my ServiceProvider with WSO2IS local claims, all works good.
Is this correct? Am I missing anything?
Thank you
Angelo
UPDATE
I'm pretty sure it's a kind of bug.
I debugged till the class org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler
The org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler.handleClaimMappings(StepConfig, AuthenticationContext, Map<String, String>, boolean) returns the correct claims Map In fact I printed the following log:
INFO {org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler} - Returning filtered claims {familyName=Surname, name=Example, dateOfBirth=1980-01-01, spidCode=ABCD123456789A, fiscalNumber=TINIT-SRNXPL80A41A662G, MultiAttributeSeparator=,} to SP mySP
In some point during the process WSO2 IS decides that this Map must not be used.
Any tip?
UPDATE 2
This picture shows how I configure my SP claims. As you can see I'm using a defined custom claim. When I define custom claim, I can't make claims mandatory
Did u try making these claims mandatory on the IS SP side? Making claims mandatory will ensure that u always receive the claim for the applications.
If caching is the problem then u can try to JIT provision the user[1]. This way we can save the claims from FIDP on the IS side. "Provision silently" is an easy option to check.
[1] https://is.docs.wso2.com/en/latest/learn/configuring-just-in-time-provisioning-for-an-identity-provider/
I try to use https://myidentity/oauth2/userinfo for extract information about the logged user, but only returns one field
{
"sub": "username"
}
I have complete mapped fields from http://wso2.org/claims/photo to http://wso2.org/claims/oidc/photo
What can i do?
Since the claims that you are requesting are on the local claim dialect you can use the local claim dialect for requesting claims. Please refer to the official documentation for more information1
1.https://is.docs.wso2.com/en/5.9.0/learn/configuring-claims-for-a-service-provider/
In WSO2 IS admin console, we are trying to set the user claims for a service provider under 'Claim Configuration'.
We selected the Claim mapping Dialect as 'Define Custom Claim Dialect' and added Local claims as :
http://wso2.org/claims/givenname
http://wso2.org/claims/lastname
http://wso2.org/claims/emailaddress
But when we perform a curl with /oauth2/userinfo, it just gives us last name and email. But first name is not being returned.
Returned User Info:
{"sub":"abc#carbon.super","family_name":"abcFN","email":"abc#abc.com"}
Any pointers for the issue will be helpful.
There is actually an error in the mapping of the given name attribute between the oidc claim and the wso2 claim :
In the management console, go to Home > Identity > Claims > List > claim.view
Click on http://wso2.org/oidc/claim in the Available Claims Dialect list
Change the mapping for given_name to Mapped Local Claim : http://wso2.org/claims/givenname
In order to get the first name through user info endpoint,you should have an OIDC claim mapping with http://wso2.org/claims/givenname.
Could you please check whether your given_name claim under oidc dialect has a mapping with http://wso2.org/claims/givenname.
I have added a local custom claim namely http://wso2.org/claims/fg_imprenditore to http://wso2.org/claims dialect and mapped it on a custom primary user store attribute (JDBC user store).
The custom claim appears in the user profile and I can set/update the value correctly.
I have defined a new service provider and added the custom claim in Claim Configuration -> Use Local Claim Dialect.
In addition I have edited /_system/config/oidc and modified the openid property to include the new claim as follows: sub,...,street,http://wso2.org/claims/fg_imprenditore
Now the issues.
I ask a JWT Token from a javascript client with the following request:
http://**********/?response_type=id_token&client_id=" + "f8SatEWpyi1qvPLVspsDfTbefm0a" + "&scope=openid&redirect_uri=http://localhost:3000/oauth_callback.html&nonce=" + nonce
After login the WSO2is server prompts the following message (even if the attribute is already present in the profile): You are trying to login to **** application, but it needs following information filled in the user profile. You can fill those below and proceed with the authentication. But it is advised to fill these information in your Identity Provider profile in order to avoid this step every time you login.
If I fill the field (correctly) labeled "http://wso2.org/claims/fg_imprenditore" I can proceed. In any case the claim is not returned in the JWT Token.
In addition if I go in the user profile the attribute is set correctly (with the new value!) but if I try to authenticate again I need to fill the attribute again..
Many thanks for the support.
If you don't mark the claim as mandatory on your Service Provider it shouldn't request it when you try to log in. Also, in order for the jwt to contain your custom claim you need to map the custom claim to a new custom claim under the oauth dialect, and then map the new oauth claim under the oidc scope you use. It took me a while to get it too as there isn't sufficient documentation describing these steps. Hope this solves your issue.
This happens because "http://wso2.org/claims/fg_imprenditore" claim is not mapped to any oidc claims in WSO2 IS. Do the following in get rid of the issue.
Go to List under Claims in IS Management Console Main tab.
Click on http://wso2.org/oidc/claim
Add new claim with the name fg_imprenditore in oidc claim dialect. You will see a drop down to select "Mapped Local Claim". Map it to http://wso2.org/claims/fg_imprenditore. (Check "Add External Claim" section in this)
Save new oidc claim and try again.
I am new to wso2is, and I'm trying to add the extended schema to SCIM user management as described in http://docs.wso2.org/display/IS460/Extensible+SCIM+User+Schemas+With+WSO2+Identity+Server
I was able to successfully enable the extended schema in the configuration file, do the claims mapping and even successfully create an user with extended claims, but the problem is that when I request the user information back through the /User/ or /Users endpoints, I can't find a way to have the extended attributes included in the result, which always contains only the standard SCIM schema attributes.
Any suggestions?
I think you have mapped your claims to http://wso2.org/claims dialect. But you need to map those claims under the urn:scim:schemas:core:1.0 dialect. Once you map these under the urn:scim:schemas:core:1.0 dialect, GET request populate the extended claims as well.
Regards,
Venura