The attribute-release flow was not selected because in our lab installation the property idp.consent.allowPerAttribute had the value true. It is used in an activationCondition for shibboleth.consent.AttributeReleaseFlow in profile-intercept-system.xml (cf. this link )
After setting idp.consent.allowPerAttribute to the default false the simple-web-app/user page now shows all the claims that are available!
I was blinded because when using Shibboleth/SAML to authentify for a SP then the attribute-release flow was selected anyway. It means then that the other part of the OR in the activateCondition (net.shibboleth.idp.saml.profile.config.logic.IncludeAttributeStatementPredicate) behaves differently for oidc (evaluates to false):
Is this a bug? (i.e. what is different in shibboleth-oidc from the Shibboleth/SAML case in the evaluation of IncludeAttributeStatementPredicate when idp.consent.allowPerAttribute is true?)
Is it an option to add a includeAttributeStatement to the OIDC login profile?
Reproduce
set idp.consent.allowPerAttribute to true and observe that the attribute release flow is not selected and the claim list is not constructed , as well as, in the Shibboleth/SAML case, the attribute release flow is still selected.
Diagnosis
This explanation about the activateCondition of the attribute release flow might shed some light on this issue:
From Scott Cantor: in case the attribute release flow is not applicable then the attributes that passed the filter policy should be transmitted to the client.
Background
Extracted from https://github.com/uchicago/shibboleth-oidc/issues/30 via @dominique-p
Issue
The attribute-release flow was not selected because in our lab installation the property
idp.consent.allowPerAttributehad the valuetrue. It is used in anactivationConditionforshibboleth.consent.AttributeReleaseFlowinprofile-intercept-system.xml(cf. this link )After setting
idp.consent.allowPerAttributeto the defaultfalsethe simple-web-app/user page now shows all the claims that are available!I was blinded because when using Shibboleth/SAML to authentify for a SP then the
attribute-releaseflow was selected anyway. It means then that the other part of the OR in theactivateCondition(net.shibboleth.idp.saml.profile.config.logic.IncludeAttributeStatementPredicate) behaves differently for oidc (evaluates to false):IncludeAttributeStatementPredicatewhenidp.consent.allowPerAttributeis true?)includeAttributeStatementto the OIDC login profile?Reproduce
set
idp.consent.allowPerAttributeto true and observe that the attribute release flow is not selected and the claim list is not constructed , as well as, in the Shibboleth/SAML case, the attribute release flow is still selected.Diagnosis
This explanation about the
activateConditionof the attribute release flow might shed some light on this issue:There is also a warning note on the
ConsentConfigurationpage of the Shibboleth documentation that gives some context: