Skip to content

SplittingClaims

Jump to bottom
Scott Cantor edited this page Feb 22, 2021 · 20 revisions

Current File(s): conf/attribute-resolver.xml, conf/attribute-filter.xml

Overview

Claims are released by default in userinfo response unless response type is "id_token". You may and most likely will have a need to release claims also in id token regardless of the response type. Client may be specifically requesting claims to be returned in id token or you may have agreed of it offline. One reason for splitting the claims might be setting more sensitive claims to id token and less sensitive ones to userinfo response to be fetched by someone else than the client itself.

Splitting and attribute resolver by example

The splitting is often combination of attribute filtering rules and attribute definitions. Attribute encoders control the target, id token or userinfo response to which the attribute may be encoded to. Assuming you have a attribute name for claim "name" already defined,

<!-- standard claim name fetched from static connector -->
<AttributeDefinition id="name" xsi:type="Simple" sourceAttributeID="name">
    <Dependency ref="staticAttributes" />
    <AttributeEncoder xsi:type="oidcext:OIDCString" name="name" />
</AttributeDefinition>

which you may be releasing already for instance for scope "profile" in your attribute filter following the standard behaviour. If you need a another filtering rule releasing claim "name" for instance by a request but only in id token you need to define a second attribute, name_idtoken that holds the same value and a additional encoder options placing it to id token and denying it from userinfo response.

<!-- claim that may be encoded only for userinfo response -->
<AttributeDefinition id="name_idtoken" xsi:type="Simple">
    <Dependency ref="name" />
    <AttributeEncoder xsi:type="oidcext:OIDCString" placeToIDToken="true" denyUserinfo="true"
        name="name" />
</AttributeDefinition>

Now you may refer to that attribute definition in attribute filter.

Splitting and attribute filter by example

<AttributeFilterPolicy id="SPLITTING_CLAIMS">
    <PolicyRequirementRule xsi:type="ANY" />
    <!-- Release name in id token if specifically asked to be released for id token -->
    <AttributeRule attributeID="name_idtoken">
        <PermitValueRule xsi:type="oidcext:AttributeInOIDCRequestedClaims" matchOnlyIDToken="true" />
    </AttributeRule>
</AttributeFilterPolicy>

Outcome

The released claim will end up if requested only to id token regardless of response type.

(Migrated)

Clone this wiki locally