fix: use OIDC standard claims, if result from mapping is null #2566
Conversation
With #1925 there was a fix already, however using custom claims can lead to error situations. With this fix, that error situations are prevented if standard claims in id_token, e.g. name is an array with different values, but family_name and given_name are also in the token as string. This fix is for OIDC IdP integration, therefore it makes sense to use as fallback also OIDC standard claims.
|
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/186311897 The labels on this github issue will be updated when the story is started. |
strehle
changed the title
strehle
added
in_review
I have concerns from an operator UX perspective.Example of the exact impact of this PR (possibly in combination with the prior PR #1925 ): Example attributeMappings in an external IDP config set by the operator: Example external token: Resulting UAA token after this PR: It seems to me that this PR would be "doing too much" for the operators by offering too much fallback mechanism. If their intention is to have this mapping And if the operater's intention is to not import the phone number into UAA (by not adding an Overall, if I were an operator, I would much rather have the actual UAA behaviors be completely deterministic based on my config, rather than having a lot of fallback & outcomes that I do not intend. |
|
Ok so the 2 fall back I see, however can we agree that we should have an option to get the OIDC name if no mapping is configured Currently all admin have to configuration mappings and we have seen that these things can go wrong. What we want have in future. There is scope in configuration already and in OIDC you can ask for scopes email and/or profile From a standard OIDC IdP you will get then automatically email, email_verified, given_name, family_name because these are the standard names, so in such cases a user attribute mapping should come automatically, ok ? |
Return the oidc standard claim if the mapped claim is not in token. This is useful needed if the mapping is not done or not correct. If the mapping is available this is used. The reality has shown, that many operators do not create a mapping at all or correct mapping, but with OIDC the mapping for email, given_name, family_name is not needed because they are there with scope profile. See test getUser_doesNotReturnNullWhenIdTokenMappingIsNotAvailableButAlsoOidcStandardClaims
strehle
changed the title
|
@peterhaochen47 now only with one default, if custom mapping is null or if there is no custom mapping. With that externalGroupMapping is not needed at all if profile scope is used and OIDC IdP behaves OIDC compliant |
|
Ok, now I agree that some defaulting based on the OIDC standard claims is fair. I think we can provide the following default values at the IDP config level (defaulting at the config level might also simplify our code here): Aka, if the operators DO NOT configure a mapping (left blank), then we use the above defaults. But if the operators DO configure a mapping, but the mapping fails to get a valid claim from the external token, then I would argue that we should let it fail (and not fallback), so that the original intentions of the operators are respected. Going back to the above example: Example external token: Then I think the following resulting UAA token is fair: Since the operator did NOT set |
|
ok, then cancel this |
With #1925 there was a fix already, however using custom claims can lead to error situations. With this fix, that error situations are prevented if standard claims in id_token, e.g. custom attribute is not in token, but family_name and given_name are also in the token as string. This fix is for OIDC IdP integration, therefore it makes sense to use as fallback also OIDC standard claims.