How to add set values for claims in Node OIDC without including the respective scopes

[abhinavkumarmaurya]

We are using JWT request payload at authorization endpoint to provide scope and claims http://localhost:9116/oidc/auth?client_id=ktRtImddxmt1hFfDmy4aF&response_type=code id_token&scope=openid profile&nonce=foobar1&redirect_uri=https://www.xyyy.com.jj/redirects/redirect1&request=eyJraWQiOiJrYXJ0aGlqd2tza2lkIiwidHlwIjoiSldUIiwiYWxnIjoiUFMyNTYifQ.eyJhdWQiOiJodHRwOlwvXC9sb2NhbGhvc3Q6ODA4MiIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUiLCJjbGFpbXMiOnsiaWRfdG9rZW4iOnsiYWNyIjp7InZhbHVlcyI6WyJ1cm46Y2RzLmF1OmNkcjozIl0sImVzc2VudGlhbCI6dHJ1ZX0sInNoYXJpbmdfZHVyYXRpb24iOiI3Nzc2MDAwIn0sInVzZXJpbmZvIjp7ImdpdmVuX25hbWUiOm51bGwsImZhbWlseV9uYW1lIjpudWxsfX0sInJlc3BvbnNlX3R5cGUiOiJjb2RlIGlkX3Rva2VuIiwicmVkaXJlY3RfdXJpIjoiaHR0cHM6XC9cL3d3dy5tb2NrY29tcGFueS5jb20uYXVcL3JlZGlyZWN0c1wvcmVkaXJlY3QxIiwic3RhdGUiOiJhZjBpZmpzbGRraiIsIm5vbmNlIjoibi0wUzZfV3pBMk0gaiIsImNsaWVudF9pZCI6Imt0UnRJbWRkeG10MWhGZkRteTRhRiJ9.GqnCEbW_0co90N8WfCzppKDwwEGRFKOUPmzuzNomBJ2rpC6xlzZoyJlyB3VXE4hsdVw5Y_MWGBbTDlV4N04yHxYkC4v4JFV8kg3DBkF6ZSflPHHfKToOL27kPidtClvnsDX-U51TGnVcwKoO9Io7ePQlmfCDqy_7Xo8J6AHB8D3JKTWjR4vl_OrY2UAc_hRA0MGnTYxY_AjhCCl7ajHsSFmOTr4XjI29TPiuqNeFYpcqrF-8oXPmiDm8ZAaeCTa_7bFOFiR8LHYqYerYhhOt2A8aDG7QiOe66W-NOE0SFmlI-Ntpsa0CtTjrPddVylF9ZgF1b6ZXpXfT9jcjsTVz0w

Payload of JWT: { "aud": "http://localhost:8082", "scope": "openid", "claims": { "id_token": { "acr": { "values": [ "urn:cds.au:cdr:3" ], "essential": true }, "sharing_duration": "7776000" }, "userinfo": { "given_name": null, "family_name": null } }, "response_type": "code id_token", "redirect_uri": "https://BC.COM/redirects/redirect1", "state": "af0ifjsldkj", "nonce": "n-0S6_WzA2M j", "client_id": "ktRtImddxmt1hFfDmy4aF" }

Now we want the information given in claim section to be included in id_token and user_info endpoint(when called)

With scope section only openid is defined so from userinfo end point we are only getting sub claim. but we want given_name and family_name as well (not part of scope but given as claims by TPP), also id_token should have defined time expiry and claims given in that section

[panva]

Now we want the information given in claim section to be included in id_token and user_info endpoint(when called)

That is something you need to question at your Authorization Server. The client seems to send everything in order so that an AS supporting the claims parameter can act on it.

[panva]

Please consider supporting the library if it provides value to you or your company and this support was of help to you. Supporting the library means, amongst other things, that such support will be available in the future.

[abhinavkumarmaurya]

I saw the server code, it is filtering out the claims that are not part of scope. But what about the claims that are passed separately. How would they be included in id_token or user_info. configuration.js has somthing like this: claims: { address: ['address'], email: ['email', 'email_verified'], phone: ['phone_number', 'phone_number_verified'], profile: ['birthdate', 'family_name', 'gender', 'given_name', 'locale', 'middle_name', 'name', 'nickname', 'picture', 'preferred_username', 'profile', 'updated_at', 'website', 'zoneinfo'], }

since I'm not passing any of these scopes, I'm getting only sub claim. (// it is essential to always return a sub claim) Why the claims inside claims section on JWT payload is not being considered? like acr, family_name etc.

In account.js claims is returning all below values async claims(use, scope) { // eslint-disable-line no-unused-vars return { sub: this.accountId, // it is essential to always return a sub claim

  address: {
    country: '000',
    formatted: '000',
    locality: '000',
    postal_code: '000',
    region: '000',
    street_address: '000',
  },
  birthdate: '1987-10-16',
  acr: ['123','456','789'],
  email: 'johndoe@example.com',
  email_verified: false,
  family_name: 'Doe',
  gender: 'male',
  given_name: 'John',
  locale: 'en-US',
  middle_name: 'Middle',
  name: 'John Doe',
  nickname: 'Johny',
  phone_number: '+49 000 000000',
  phone_number_verified: false,
  picture: 'http://lorempixel.com/400/200/',
  preferred_username: 'johnny',
  profile: 'https://johnswebsite.com',
  updated_at: 1454704946,
  website: 'http://example.com',
  zoneinfo: 'Europe/Berlin',
};

}

[panva]

Ok. Let me point out this is a client project. If you want help setting up a specific idp using oidc-provider, open up an issue/search the tracker there.

[panva]

And FWIW, i’m sure you just don’t have the claimsParameter feature enabled on your IdP, an indication of which would be your discovery showing claims_parameter_supported: false.