Skip to content

SplittingClaims

jalauros edited this page Mar 6, 2018 · 20 revisions

Current File(s): conf/attribute-resolver.xml, conf/attribute-filter.xml

Overview

Claims are released as part of id token or as part of userinfo response. The basic filtering and attribute resolving examples show how a filtered claim ends up always in both (assuming userinfo endpoint is deployed at all). In some cases it is desirable to release a claim in one or the other, id token or in userinfo response, but not in both. This is called splitting claims.

Splitting and attribute resolver

The splitting basically happens already in attribute definition phase. Assuming you have a "name" claim already defined

<!-- standard claim name fetched from static connector -->
<AttributeDefinition id="name" xsi:type="Simple" sourceAttributeID="name">
    <Dependency ref="staticAttributes" />
    <AttributeEncoder xsi:type="oidcext:OIDCString" name="name" />
</AttributeDefinition>  

which you may release already for scope "profile" in your attribute filter. If you need a another filtering rule releasing it for instance by a request but only in userinfo response you need to define a second attribute, "name_ui" that holds the same value but a encoder that activates only for userinfo responses.

<!-- claim that may be encoded only for userinfo response -->
<AttributeDefinition id="name_ui" xsi:type="Simple">
    <Dependency ref="name" />
    <AttributeEncoder xsi:type="oidcext:OIDCString" activationConditionRef="UserInfoPredicate"
        name="name" />
</AttributeDefinition>

Now you may refer to that attribute definition in attribute filter.

Splitting and attribute filter

<AttributeFilterPolicy id="SPLITTING_CLAIMS">
    <PolicyRequirementRule xsi:type="ANY" />
    <!-- Release name in userinfo if specifically asked to be released for userinfo -->
    <AttributeRule attributeID="name_ui">
        <PermitValueRule xsi:type="oidcext:AttributeInOIDCRequestedClaims" matchOnlyUserInfo="true" />
    </AttributeRule>
</AttributeFilterPolicy>

Outcome

The released claims will end up only to userinfo response, not to a id token. The consent, if configured, is however asked also for this claim in the authorization endpoint, even though it may not be released at that phase.

If (or as you have when splitting) you have several attribute definitions claims having encoder named the same i.e. "name" in this case, it is important that they hold also the same value as in example (otherwise it really would not make any sense). In the case of overlapping filtering rules, which is normal, the value(s) of only one attribute having encode named "name" will end up in the response.

Beans

  • UserInfoPredicate, attribute resolver specific bean for activating encoder only for userinfo responses.
  • IDTokenPredicate, attribute resolver specific bean for activating encoder for setting the claim only to id token.