<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:#954F72;
        text-decoration:underline;}
.MsoChpDefault
        {mso-style-type:export-only;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
        {page:WordSection1;}
--></style></head><body lang=FR link=blue vlink="#954F72"><div class=WordSection1><p class=MsoNormal>Hi,</p><p class=MsoNormal>Id token does not contain claims except sub, exp, iss, etc.</p><p class=MsoNormal>One can argue <span lang=EN-US>that it is just an authentication token. Therefore, querying the user info is mandatory to get the claims.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>It should be possible technically by overriding some classes though.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Beware of the size of the tokens in the implicit flow as everything is passing by the browser.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Envoyé de mon téléphone Windows 10</p><p class=MsoNormal><o:p> </o:p></p><div style='mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='border:none;padding:0cm'><b>De : </b><a href="mailto:jasonw@bearriver.com">Jason Winshell (Bear River)</a><br><b>Envoyé le :</b>jeudi 19 janvier 2017 02:51<br><b>À : </b><a href="mailto:jricher@mitre.org">jricher@mitre.org</a>; <a href="mailto:aanganes@mitre.org">aanganes@mitre.org</a>; <a href="mailto:mjett@mitre.org">mjett@mitre.org</a>; <a href="mailto:github.com@nemonik.com">github.com@nemonik.com</a>; <a href="mailto:mitreid-connect@mit.edu">mitreid-connect@mit.edu</a><br><b>Objet :</b>[mitreid-connect] MITREid Connect: getting email, profile claims set?</p></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Dear MitreID Connect authors,<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I'm experimenting with MitreId OpenID Connect v 1.2.6. I'm trying to retrieve the 'openid email profile' claims sets in authorization implicit grant flow. I'm finding that the resulting id_token in the response does not include the email or profile claims, just minimal a "sub" claim + oauth2. I've run the server in TRACE debug mode to verify what's happening. As far as I can tell, the email address for the built-in test user should be returned. The authorization UI asks me to confirm the basic id information, email and profile info, which I did. I'm sure that the server is seeing the email and profile scopes.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Can you tell me what I'm doing wrong:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>My web client invokes the authorize endpoint as:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><blockquote style='margin-left:30.0pt;margin-right:0cm'><div><p class=MsoNormal><a href="http://jasonw.bearriver.com:8080/uma-server-webapp/authorize?response_type=token%20id_token&client_id=f34eabb6-0dea-4793-89c6-30ad65f1d742&scope=">http://jasonw.bearriver.com:8080/uma-server-webapp/authorize?response_type=token%20id_token&client_id=f34eabb6-0dea-4793-89c6-30ad65f1d742&scope=</a><b>openid%20email%20profile</b>&redirect_uri=http://localhost/callback&state=453563fe-7e2e-4e74-a6ca-266c384bbccc<o:p></o:p></p></div></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>What follows are snippets from UMA Server logs....<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>You can see that scope is "openid email profile" is passed in the URL<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><blockquote style='margin-left:30.0pt;margin-right:0cm'><div><p class=MsoNormal>DEBUG: org.mitre.openid.connect.web.AuthenticationTimeStamper - Redirecting to DefaultSavedRequest Url: <a href="http://jasonw.bearriver.com:8080/uma-server-webapp/authorize?response_type=token%20id_token&client_id=f34eabb6-0dea-4793-89c6-30ad65f1d742&">http://jasonw.bearriver.com:8080/uma-server-webapp/authorize?response_type=token%20id_token&client_id=f34eabb6-0dea-4793-89c6-30ad65f1d742&</a><b>scope=openid%20email%20profile</b>&redirect_uri=<a href="http://localhost/callback&state=453563fe-7e2e-4e74-a6ca-266c384bbccc">http://localhost/callback&state=453563fe-7e2e-4e74-a6ca-266c384bbccc</a><o:p></o:p></p></div></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Here you can see that the email address is being processed:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><blockquote style='margin-left:30.0pt;margin-right:0cm'><div><div><p class=MsoNormal>TRACE: org.springframework.web.servlet.view.JstlView - Rendering view with name 'approve' with model {authorizationRequest=org.springframework.security.oauth2.provider.AuthorizationRequest@187eb553, org.springframework.validation.BindingResult.authorizationRequest=org.springframework.validation.BeanPropertyBindingResult: 0 errors, auth_request=org.springframework.security.oauth2.provider.AuthorizationRequest@187eb553, client=org.mitre.oauth2.model.ClientDetailsEntity@70a044c3, redirect_uri=<a href="http://localhost/callback">http://localhost/callback</a>, scopes=[SystemScope [id=1, value=openid, description=log in using your identity, icon=user, defaultScope=true, restricted=false, structured=false, structuredParamDescription=null, structuredValue=null], SystemScope [id=2, value=profile, description=basic profile information, icon=list-alt, defaultScope=true, restricted=false, structured=false, structuredParamDescription=null, structuredValue=null], SystemScope [id=3, value=email, description=email address, icon=envelope, defaultScope=true, restricted=false, structured=false, structuredParamDescription=null, structuredValue=null]], <b>claims={openid={sub=01921.FLANRJQW}, profile={name=Demo User, preferred_username=user}, email={email_verified=true, <a href="mailto:email=user@example.com">email=user@example.com</a>}}</b>, count=0, <a href="mailto:contacts=admin@example.com">contacts=admin@example.com</a>, gras=false, org.springframework.validation.BindingResult.auth_request=org.springframework.validation.BeanPropertyBindingResult: 0 errors, org.springframework.validation.BindingResult.client=org.springframework.validation.BeanPropertyBindingResult: 0 errors} and static attributes {}<o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><blockquote style='margin-left:30.0pt;margin-right:0cm'><div><div><p class=MsoNormal>TRACE: org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod - Invoking [AuthorizationEndpoint.approveOrDeny] method with arguments [{<b>scope_openid=openid, scope_profile=profile, scope_email=email</b>, remember=none, user_oauth_approval=true, authorize=Authorize}, {authorizationRequest=org.springframework.security.oauth2.provider.AuthorizationRequest@187eb553}, org.springframework.web.bind.support.SimpleSessionStatus@4e2834c9, org.springframework.security.authentication.UsernamePasswordAuthenticationToken@442be9fb: Principal: org.springframework.security.core.userdetails.User@36ebcb: Username: user; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 192.168.0.111; SessionId: 07D41D9C8A0B9BAC78F1BC2CE3CB2714; Granted Authorities: ROLE_USER]<o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Finally, the id_token in the response to the redirect call back is: (after confirming access to the information in the UI)<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><blockquote style='margin-left:30.0pt;margin-right:0cm'><div><div><p class=MsoNormal>TRACE: org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod - Method [approveOrDeny] returned [org.springframework.web.servlet.view.RedirectView: unnamed; URL [<a href="http://localhost/callback#access_token=eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJ1c2VyIiwiYXpwIjoiZjM0ZWFiYjYtMGRlYS00NzkzLTg5YzYtMzBhZDY1ZjFkNzQyIiwiaXNzIjoiaHR0cDpcL1wvamFzb253LmJlYXJyaXZlci5jb206ODA4MFwvdW1hLXNlcnZlci13ZWJhcHBcLyIsImV4cCI6MTQ4NDc5MTUwNiwiaWF0IjoxNDg0Nzg3OTA2LCJqdGkiOiI4ODlkZGIxZS00N2U1LTQ0OTEtODhmZC1jNjdlNjE2ZjM5NWEifQ.qtx4cSY6G8KzEauKBIItGICE3Su47fh7gnFSVy3KfKkGmOC18XKU52Zk5tO1Ld_350WYklBFHp2lkwqDR-J7tykGoubO_Yn7s-2DrTj05jVa9MW6-zEixWtw_ee7cwBt0x7kC8HELgjQgfSX1dPY58lV_SqzhFsg8SAGidYkMZof2xXkk-Xss4yaRjpk2SxUcfMFFX3NWnSB4MpKTApJKEuDFeNo3UgKq26JrrD1l6eqABwuHfMgS_bLSTJjliXuegwvGicQbxw258u8q0_TVBmr7LV1OOtuwWJG2r9-A7T64vJ31lLAJuJLeYj-ugwBBqAY0fRN6n78E3p-oh2YwA&token_type=Bearer&state=453563fe-7e2e-4e74-a6ca-266c384bbccc&expires_in=3599&">http://localhost/callback#access_token=eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJ1c2VyIiwiYXpwIjoiZjM0ZWFiYjYtMGRlYS00NzkzLTg5YzYtMzBhZDY1ZjFkNzQyIiwiaXNzIjoiaHR0cDpcL1wvamFzb253LmJlYXJyaXZlci5jb206ODA4MFwvdW1hLXNlcnZlci13ZWJhcHBcLyIsImV4cCI6MTQ4NDc5MTUwNiwiaWF0IjoxNDg0Nzg3OTA2LCJqdGkiOiI4ODlkZGIxZS00N2U1LTQ0OTEtODhmZC1jNjdlNjE2ZjM5NWEifQ.qtx4cSY6G8KzEauKBIItGICE3Su47fh7gnFSVy3KfKkGmOC18XKU52Zk5tO1Ld_350WYklBFHp2lkwqDR-J7tykGoubO_Yn7s-2DrTj05jVa9MW6-zEixWtw_ee7cwBt0x7kC8HELgjQgfSX1dPY58lV_SqzhFsg8SAGidYkMZof2xXkk-Xss4yaRjpk2SxUcfMFFX3NWnSB4MpKTApJKEuDFeNo3UgKq26JrrD1l6eqABwuHfMgS_bLSTJjliXuegwvGicQbxw258u8q0_TVBmr7LV1OOtuwWJG2r9-A7T64vJ31lLAJuJLeYj-ugwBBqAY0fRN6n78E3p-oh2YwA&token_type=Bearer&state=453563fe-7e2e-4e74-a6ca-266c384bbccc&expires_in=3599&</a><b>id_token=eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiR2lITzdGLWpNTjVCeDR0ZFRRTzUwUSIsInN1YiI6IjAxOTIxLkZMQU5SSlFXIiwiYXVkIjoiZjM0ZWFiYjYtMGRlYS00NzkzLTg5YzYtMzBhZDY1ZjFkNzQyIiwiYXV0aF90aW1lIjoxNDg0Nzg3ODk2LCJraWQiOiJyc2ExIiwiaXNzIjoiaHR0cDpcL1wvamFzb253LmJlYXJyaXZlci5jb206ODA4MFwvdW1hLXNlcnZlci13ZWJhcHBcLyIsImV4cCI6MTQ4NDc4ODUwNiwiaWF0IjoxNDg0Nzg3OTA2LCJqdGkiOiI4MzYxN2ZmYi03MTU5LTQ3YzUtOGM1YS1kYWY0ZWQyYmQwMjMifQ.dYjrDRFroldKe9uNnA0xhi3L6ugvULkAtG7X2kllW5Zscl7165N_ezBRpuDt187WzCo1UOtlj7iL3TWEX0vV7-UEJgbSjMe9HThLD4FR9Y2QPVoUnCLZAzgiJkm_toE62hPXrWmgxn8W58BvxoAU6SVduA-jCXK-b7Gqrh-hy95YhwZFNU0sKY_XWeEfWYbLvEtDULfFpxFbVxsgJ-5kUx7JH-YNqk4hq6bS3_cqJZ4akrkhrAt2We8m1nnJtPm7_XFtFqsXtVuvgR2kUy7iW9bVetpqqbC4NGhvDY9-lILy8wQReXPecP2OQqX-VioAZiaXNNgc56r4SjGFQZMODg</b>]]<o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The id_token decodes to:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><blockquote style='margin-left:30.0pt;margin-right:0cm'><div><div><p class=MsoNormal>{<o:p></o:p></p></div><div><p class=MsoNormal> "at_hash": "GiHO7F-jMN5Bx4tdTQO50Q",<o:p></o:p></p></div><div><p class=MsoNormal> "sub": "01921.FLANRJQW",<o:p></o:p></p></div><div><p class=MsoNormal> "aud": "f34eabb6-0dea-4793-89c6-30ad65f1d742",<o:p></o:p></p></div><div><p class=MsoNormal> "auth_time": 1484787896,<o:p></o:p></p></div><div><p class=MsoNormal> "kid": "rsa1",<o:p></o:p></p></div><div><p class=MsoNormal> "iss": "<a href="http://jasonw.bearriver.com:8080/uma-server-webapp/">http://jasonw.bearriver.com:8080/uma-server-webapp/</a>",<o:p></o:p></p></div><div><p class=MsoNormal> "exp": 1484788506,<o:p></o:p></p></div><div><p class=MsoNormal> "iat": 1484787906,<o:p></o:p></p></div><div><p class=MsoNormal> "jti": "83617ffb-7159-47c5-8c5a-daf4ed2bd023"<o:p></o:p></p></div><div><p class=MsoNormal>}<o:p></o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p></div></blockquote><p class=MsoNormal>I'd expect to have seen an email {email, email_verified} and profile {preferred_username, name} for 'Demo User', as created by the default installation.<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><blockquote style='margin-left:30.0pt;margin-right:0cm'><div><div><p class=MsoNormal>-- By default, the username column here has to match the username column in the users table, above<o:p></o:p></p></div></div><div><div><p class=MsoNormal>INSERT INTO user_info_TEMP (sub, preferred_username, name, email, email_verified) VALUES<o:p></o:p></p></div></div><div><div><p class=MsoNormal> ('90342.ASDFJWFA','admin','Demo Admin','<a href="mailto:admin@example.com">admin@example.com</a>', true),<o:p></o:p></p></div></div><div><div><p class=MsoNormal> <b>('01921.FLANRJQW','user','Demo User','<a href="mailto:user@example.com">user@example.com</a>', true);</b><o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I'm able to get the info from the userinfo endpoint using the Bearer token. But I want the info in the id_token. That should be possible?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>After hours of debugging the server code & Googling I'm throwing in the towel. Put me out of my misery :-( What am I missing?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thanks<o:p></o:p></p></div><div><p class=MsoNormal>Jason<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>