WSO2 IS 5.1.0作为OAuth/OIDC IdP响应，在UserInfo端点上具有不同的声明 [英] WSO2 IS 5.1.0 as OAuth/OIDC IdP response with different claims on UserInfo endpoint

问题描述

任何人都知道为什么我调用/userinfo端点会得到不同的JSON响应吗?具体来说:

Anyone know why if I make a call to /userinfo endpoint I obtain different JSON response? Specifically:

• 当我从命令行使用curl进行调用时，例如$curl -k -H "Authorization: Bearer 2bcea7cc9d7e4b63fd2257aa31116512" https://localhost:9443/oauth2/userinfo?schema=openid，我获得了以下JSON作为响应:{"sub":"asela","name":"asela","preferred_username":"asela","given_name":"asela","family_name":"asela"}
• 如果我使用Java客户端(实现授权代码流的库)进行调用，那么当客户端进行/userinfo调用时，我会以{"sub":"asela@carbon"}之类的JSON作为响应，而没有其他要求.

• When I make a call with curl from command line, like $curl -k -H "Authorization: Bearer 2bcea7cc9d7e4b63fd2257aa31116512" https://localhost:9443/oauth2/userinfo?schema=openid I obtain as response the JSON: {"sub":"asela","name":"asela","preferred_username":"asela","given_name":"asela","family_name":"asela"}
• If I make the call with a java client (a library that implement the Authorization Code Flow), when the client make the /userinfo call I have as response a JSON like {"sub":"asela@carbon"} without all other claims.

WSO2 IS中定义的服务声明是默认的.感谢您的帮助.

The claims for the service defined in WSO2 IS are the default ones. Thanks for any help.

推荐答案

我已经尝试过此操作，但是遇到了与您同样的问题.正如我在之前的评论中提到的那样，该问题是由于声明映射问题而发生的.通常，我们从" http://wso2.org/claims "方言获取用户的属性.但是，当我们调用OpenID userInfo端点时，它将提供来自" http://wso2.org/oidc的用户属性. /claim ".但是 http://wso2.org/claims 中的所有声明. ://wso2.org/oidc/claim"rel =" nofollow noreferrer> http://wso2.org/oidc/claim . (例如:手机，地址，组织).因此，我们必须在 http://wso2.org/oidc/claim 方言中定义那些必需的声明，如果未定义.

您可以从Identity Server管理控制台检查此声明.为此，请登录ManagementConsole>主页>列表(在Claims下)
然后，您可以遍历这两个声明方言，并将必需的声明添加到

希望这会有所帮助.

I have tried this and got the same issue that you have faced. As I have mentioned in my previous comment, the issue occurs due to the claim mapping issue. Normally we get the user's attributes from the "http://wso2.org/claims" dialect. But when we call to OpenID userInfo endpoint, it will provide the user's attributes from "http://wso2.org/oidc/claim". But all the claims in http://wso2.org/claims are not defined in http://wso2.org/oidc/claim. (Ex:Mobile, Address, Organization). So we have to define those required claims on http://wso2.org/oidc/claim dialect, if it is not defined.

You can check this claims from Identity Server Management console. To do this, Log into ManagementConsole > Main > List (under Claims)
Then you can go though the two claim dialects and add required claims to

Hope this will helpful.

这篇关于WSO2 IS 5.1.0作为OAuth/OIDC IdP响应，在UserInfo端点上具有不同的声明的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！