<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">Dear MitreID Connect authors,</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">I'm experimenting with MitreId OpenID Connect v 1.2.6. I'm trying to retrieve the 'openid email profile' claims sets in authorization implicit grant flow. I'm finding that the resulting id_token in the response does not include the email or profile claims, just minimal a "sub" claim + oauth2. I've run the server in TRACE debug mode to verify what's happening. As far as I can tell, the email address for the built-in test user should be returned. The authorization UI asks me to confirm the basic id information, email and profile info, which I did. I'm sure that the server is seeing the email and profile scopes.</div><div class=""><br class=""></div><div class="">Can you tell me what I'm doing wrong:</div><div class=""><br class=""></div><div class="">My web client invokes the authorize endpoint as:</div><div class=""><br class=""></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class=""><div class=""><a href="http://jasonw.bearriver.com:8080/uma-server-webapp/authorize?response_type=token%20id_token&client_id=f34eabb6-0dea-4793-89c6-30ad65f1d742&scope=" class="">http://jasonw.bearriver.com:8080/uma-server-webapp/authorize?response_type=token%20id_token&client_id=f34eabb6-0dea-4793-89c6-30ad65f1d742&scope=</a><b class="">openid%20email%20profile</b>&redirect_uri=http://localhost/callback&state=453563fe-7e2e-4e74-a6ca-266c384bbccc</div></blockquote><div class=""><br class=""></div><div class=""><br class=""></div><div class="">What follows are snippets from UMA Server logs....</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">You can see that scope is "openid email profile" is passed in the URL</div><div class=""><br class=""></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class=""><div class="">DEBUG: org.mitre.openid.connect.web.AuthenticationTimeStamper - Redirecting to DefaultSavedRequest Url: <a href="http://jasonw.bearriver.com:8080/uma-server-webapp/authorize?response_type=token%20id_token&client_id=f34eabb6-0dea-4793-89c6-30ad65f1d742&" class="">http://jasonw.bearriver.com:8080/uma-server-webapp/authorize?response_type=token%20id_token&client_id=f34eabb6-0dea-4793-89c6-30ad65f1d742&</a><b class="">scope=openid%20email%20profile</b>&redirect_uri=<a href="http://localhost/callback&state=453563fe-7e2e-4e74-a6ca-266c384bbccc" class="">http://localhost/callback&state=453563fe-7e2e-4e74-a6ca-266c384bbccc</a></div></blockquote><div class=""><br class=""></div><div class="">Here you can see that the email address is being processed:</div><div class=""><br class=""></div><div class=""><br class=""></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class=""><div class=""><div class="">TRACE: org.springframework.web.servlet.view.JstlView - Rendering view with name 'approve' with model {authorizationRequest=org.springframework.security.oauth2.provider.AuthorizationRequest@187eb553, org.springframework.validation.BindingResult.authorizationRequest=org.springframework.validation.BeanPropertyBindingResult: 0 errors, auth_request=org.springframework.security.oauth2.provider.AuthorizationRequest@187eb553, client=org.mitre.oauth2.model.ClientDetailsEntity@70a044c3, redirect_uri=<a href="http://localhost/callback" class="">http://localhost/callback</a>, scopes=[SystemScope [id=1, value=openid, description=log in using your identity, icon=user, defaultScope=true, restricted=false, structured=false, structuredParamDescription=null, structuredValue=null], SystemScope [id=2, value=profile, description=basic profile information, icon=list-alt, defaultScope=true, restricted=false, structured=false, structuredParamDescription=null, structuredValue=null], SystemScope [id=3, value=email, description=email address, icon=envelope, defaultScope=true, restricted=false, structured=false, structuredParamDescription=null, structuredValue=null]], <b class="">claims={openid={sub=01921.FLANRJQW}, profile={name=Demo User, preferred_username=user}, email={email_verified=true, <a href="mailto:email=user@example.com" class="">email=user@example.com</a>}}</b>, count=0, <a href="mailto:contacts=admin@example.com" class="">contacts=admin@example.com</a>, gras=false, org.springframework.validation.BindingResult.auth_request=org.springframework.validation.BeanPropertyBindingResult: 0 errors, org.springframework.validation.BindingResult.client=org.springframework.validation.BeanPropertyBindingResult: 0 errors} and static attributes {}</div></div></blockquote><div class=""><br class=""></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class=""><div class=""><div class="">TRACE: org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod - Invoking [AuthorizationEndpoint.approveOrDeny] method with arguments [{<b class="">scope_openid=openid, scope_profile=profile, scope_email=email</b>, remember=none, user_oauth_approval=true, authorize=Authorize}, {authorizationRequest=org.springframework.security.oauth2.provider.AuthorizationRequest@187eb553}, org.springframework.web.bind.support.SimpleSessionStatus@4e2834c9, org.springframework.security.authentication.UsernamePasswordAuthenticationToken@442be9fb: Principal: org.springframework.security.core.userdetails.User@36ebcb: Username: user; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 192.168.0.111; SessionId: 07D41D9C8A0B9BAC78F1BC2CE3CB2714; Granted Authorities: ROLE_USER]</div></div></blockquote><div class=""><br class=""></div><div class="">Finally, the id_token in the response to the redirect call back is: (after confirming access to the information in the UI)</div><div class=""><br class=""></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class=""><div class=""><div class="">TRACE: org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod - Method [approveOrDeny] returned [org.springframework.web.servlet.view.RedirectView: unnamed; URL [<a href="http://localhost/callback#access_token=eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJ1c2VyIiwiYXpwIjoiZjM0ZWFiYjYtMGRlYS00NzkzLTg5YzYtMzBhZDY1ZjFkNzQyIiwiaXNzIjoiaHR0cDpcL1wvamFzb253LmJlYXJyaXZlci5jb206ODA4MFwvdW1hLXNlcnZlci13ZWJhcHBcLyIsImV4cCI6MTQ4NDc5MTUwNiwiaWF0IjoxNDg0Nzg3OTA2LCJqdGkiOiI4ODlkZGIxZS00N2U1LTQ0OTEtODhmZC1jNjdlNjE2ZjM5NWEifQ.qtx4cSY6G8KzEauKBIItGICE3Su47fh7gnFSVy3KfKkGmOC18XKU52Zk5tO1Ld_350WYklBFHp2lkwqDR-J7tykGoubO_Yn7s-2DrTj05jVa9MW6-zEixWtw_ee7cwBt0x7kC8HELgjQgfSX1dPY58lV_SqzhFsg8SAGidYkMZof2xXkk-Xss4yaRjpk2SxUcfMFFX3NWnSB4MpKTApJKEuDFeNo3UgKq26JrrD1l6eqABwuHfMgS_bLSTJjliXuegwvGicQbxw258u8q0_TVBmr7LV1OOtuwWJG2r9-A7T64vJ31lLAJuJLeYj-ugwBBqAY0fRN6n78E3p-oh2YwA&token_type=Bearer&state=453563fe-7e2e-4e74-a6ca-266c384bbccc&expires_in=3599&" class="">http://localhost/callback#access_token=eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJ1c2VyIiwiYXpwIjoiZjM0ZWFiYjYtMGRlYS00NzkzLTg5YzYtMzBhZDY1ZjFkNzQyIiwiaXNzIjoiaHR0cDpcL1wvamFzb253LmJlYXJyaXZlci5jb206ODA4MFwvdW1hLXNlcnZlci13ZWJhcHBcLyIsImV4cCI6MTQ4NDc5MTUwNiwiaWF0IjoxNDg0Nzg3OTA2LCJqdGkiOiI4ODlkZGIxZS00N2U1LTQ0OTEtODhmZC1jNjdlNjE2ZjM5NWEifQ.qtx4cSY6G8KzEauKBIItGICE3Su47fh7gnFSVy3KfKkGmOC18XKU52Zk5tO1Ld_350WYklBFHp2lkwqDR-J7tykGoubO_Yn7s-2DrTj05jVa9MW6-zEixWtw_ee7cwBt0x7kC8HELgjQgfSX1dPY58lV_SqzhFsg8SAGidYkMZof2xXkk-Xss4yaRjpk2SxUcfMFFX3NWnSB4MpKTApJKEuDFeNo3UgKq26JrrD1l6eqABwuHfMgS_bLSTJjliXuegwvGicQbxw258u8q0_TVBmr7LV1OOtuwWJG2r9-A7T64vJ31lLAJuJLeYj-ugwBBqAY0fRN6n78E3p-oh2YwA&token_type=Bearer&state=453563fe-7e2e-4e74-a6ca-266c384bbccc&expires_in=3599&</a><b class="">id_token=eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiR2lITzdGLWpNTjVCeDR0ZFRRTzUwUSIsInN1YiI6IjAxOTIxLkZMQU5SSlFXIiwiYXVkIjoiZjM0ZWFiYjYtMGRlYS00NzkzLTg5YzYtMzBhZDY1ZjFkNzQyIiwiYXV0aF90aW1lIjoxNDg0Nzg3ODk2LCJraWQiOiJyc2ExIiwiaXNzIjoiaHR0cDpcL1wvamFzb253LmJlYXJyaXZlci5jb206ODA4MFwvdW1hLXNlcnZlci13ZWJhcHBcLyIsImV4cCI6MTQ4NDc4ODUwNiwiaWF0IjoxNDg0Nzg3OTA2LCJqdGkiOiI4MzYxN2ZmYi03MTU5LTQ3YzUtOGM1YS1kYWY0ZWQyYmQwMjMifQ.dYjrDRFroldKe9uNnA0xhi3L6ugvULkAtG7X2kllW5Zscl7165N_ezBRpuDt187WzCo1UOtlj7iL3TWEX0vV7-UEJgbSjMe9HThLD4FR9Y2QPVoUnCLZAzgiJkm_toE62hPXrWmgxn8W58BvxoAU6SVduA-jCXK-b7Gqrh-hy95YhwZFNU0sKY_XWeEfWYbLvEtDULfFpxFbVxsgJ-5kUx7JH-YNqk4hq6bS3_cqJZ4akrkhrAt2We8m1nnJtPm7_XFtFqsXtVuvgR2kUy7iW9bVetpqqbC4NGhvDY9-lILy8wQReXPecP2OQqX-VioAZiaXNNgc56r4SjGFQZMODg</b>]]</div></div></blockquote><div class=""><br class=""></div><div class=""><br class=""></div><div class="">The id_token decodes to:</div><div class=""><br class=""></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class=""><div class=""><div class="">{</div><div class=""> "at_hash": "GiHO7F-jMN5Bx4tdTQO50Q",</div><div class=""> "sub": "01921.FLANRJQW",</div><div class=""> "aud": "f34eabb6-0dea-4793-89c6-30ad65f1d742",</div><div class=""> "auth_time": 1484787896,</div><div class=""> "kid": "rsa1",</div><div class=""> "iss": "<a href="http://jasonw.bearriver.com:8080/uma-server-webapp/" class="">http://jasonw.bearriver.com:8080/uma-server-webapp/</a>",</div><div class=""> "exp": 1484788506,</div><div class=""> "iat": 1484787906,</div><div class=""> "jti": "83617ffb-7159-47c5-8c5a-daf4ed2bd023"</div><div class="">}</div></div><div class=""><br class=""></div></blockquote>I'd expect to have seen an email {email, email_verified} and profile {preferred_username, name} for 'Demo User', as created by the default installation.<div class=""><br class=""></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class=""><div class=""><div class="">-- By default, the username column here has to match the username column in the users table, above</div></div><div class=""><div class="">INSERT INTO user_info_TEMP (sub, preferred_username, name, email, email_verified) VALUES</div></div><div class=""><div class=""> ('90342.ASDFJWFA','admin','Demo Admin','<a href="mailto:admin@example.com" class="">admin@example.com</a>', true),</div></div><div class=""><div class=""> <b class="">('01921.FLANRJQW','user','Demo User','<a href="mailto:user@example.com" class="">user@example.com</a>', true);</b></div></div></blockquote><div class=""><br class=""></div><div class=""><br class=""></div><div class="">I'm able to get the info from the userinfo endpoint using the Bearer token. But I want the info in the id_token. That should be possible?</div><div class=""><br class=""></div><div class="">After hours of debugging the server code & Googling I'm throwing in the towel. Put me out of my misery :-( What am I missing?</div><div class=""><br class=""></div><div class="">Thanks</div><div class="">Jason</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div></body></html>