Investigate support for "claims" request parameter in OIDC

eosc-kc / keycloak

Open Source Identity and Access Management For Modern Applications and Services

https://www.keycloak.org

Apache License 2.0

4 stars 4 forks source link

Investigate support for "claims" request parameter in OIDC #58

Open NicolasLiampotis opened 3 years ago

NicolasLiampotis commented 3 years ago

Investigate support for requesting Claims using the "claims" request parameter as per https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter

NicolasLiampotis commented 3 years ago

@cgeorgilakis We can test support for the Claims request parameter with a demo OIDC client that makes the following Claims request:

{
   "userinfo":
    {
     "given_name": {"essential": true},
     "email": {"essential": true},
     "email_verified": {"essential": true},
     "http://example.info/claims/groups": null
    },
   "id_token":
    {
     "auth_time": {"essential": true}
    }
  }

cgeorgilakis commented 3 years ago

Claims parameter Token mapper exists for OIDC Client. You can only configure boolean Add to ID token and Add to userinfo.

As I understand 'name', 'given_name', 'family_name', 'preferred_username' and 'email' mapping are returned only if essential attribute has value equals to true for "userinfo" or "id_token".

cgeorgilakis commented 3 years ago

PR for this mapper : https://github.com/keycloak/keycloak/pull/7232 ( see comments)

cgeorgilakis commented 3 years ago

PR has been accepted. Is this ok for us?