OIDC Provider - exclude empty claims

[candlerb]

Is your feature request related to a problem? Please describe.

When you configure a scope like this:

vault write identity/oidc/scope/profile \
  description="Provides user info" \
  template='{
    "entity_name": {{identity.entity.name}},
    "name": {{identity.entity.metadata.name}},
    "organization": {{identity.entity.metadata.organization}},
    "preferred_username": {{identity.entity.metadata.username}}
}'

but the given metadata item(s) are missing from the entity, currently empty claims are returned in the JWT:

{
  ...
  "entity_name": "Brian Candler",
  "name": "",
  "organization": "",
  "preferred_username": "",
  ...
}

Describe the solution you'd like I think it would be better if null claims were not returned. This would be in keeping with the spirit of section 5.3.2 of the spec:

If a Claim is not returned, that Claim Name SHOULD be omitted from the JSON object representing the Claims; it SHOULD NOT be present with a null or empty string value.

However, here it is talking about the response to the UserInfo endpoint, rather than the original identity token.

Describe alternatives you've considered Retain the empty string. It's a bit ugly though.

For a JSON claim like

vault write identity/oidc/scope/groups \
  description="Provides a list of group names" \
  template='{
    "groups": {{identity.entity.groups.names}}
}'

(which returns a list) then maybe the empty list is still appropriate.

Explain any additional use-cases N/A

Additional context N/A

[austingebauer]

This would be a nice improvement that aligns our OIDC provider implementation more closely with the "should" noted above in the OIDC spec. We don't have plans to prioritize this soon but would happily review a pull request.