WSO2是:5.2.0中的OpenID Connect自定义声明? [英] WSO2 IS: OpenID Connect custom claims in 5.2.0?

问题描述

我已经安装了WSO2 IS 5.2.0，但是在检索自定义创建的声明时遇到了问题.

I have installed WSO2 IS 5.2.0 and I have problem to retrieve custom created claims.

我为方言 http://wso2.org/claims 添加了新的声明，并且还添加了将相同属性映射到方言的 http://wso2.org/oidc/claim 的新声明版本5.1.0，但在版本5.2.0中不起作用.

I've added new claims to dialect http://wso2.org/claims and I also added new claims that map the same attribute to dialect http://wso2.org/oidc/claim that worked with version 5.1.0 but in version 5.2.0 not working.

所有字段都存在于数据库属性表中.我正在使用Oauth2 OpenID connect userInfo来获取用户数据.

All fields are present in database attribute table. I am using Oauth2 OpenID connect userInfo for fetching user data.

这是我的服务提供商的声明配置:

Here is claims configuration for my Service Provider:

在5.1.0中使用此配置时，我从图像中获得了所有请求的声明，但是在5.2.0中，我仅获得了非自定义的声明-默认情况下两个方言中都已经存在该声明.

With this configuration in 5.1.0 I got all requested claims from image, but in 5.2.0 I get only claims that are not custom - that was already present in both dialects by default.

推荐答案

此行为的原因是在5.2.0中引入了OpenIDConnect声明范围.因此，基本上，当您请求OIDC令牌时，可以指定绑定到一组声明的范围值.因此，当您将该OIDC令牌发送到userinfo端点时，将仅返回OIDC范围配置和SP声明配置中都相同的那些声明(即，这两个配置中的声明的交集).

The reason for this behaviour is the introduction of OpenIDConnect claim scopes in 5.2.0. So basically when you are requesting for a OIDC token you can specify a scope value that is bound to a set of claims. So when you send that OIDC token to the userinfo endpoint only those claims which are common in both OIDC scope config and SP claim configuration (ie. intersection of claim in both these configs) will be returned.

让我们举个例子， 考虑需要获得OIDC令牌的默认必需范围，该令牌为' openid '

Let's take an example, consider the default required scope need to get an OIDC token which is 'openid'

openid范围绑定到以下方案.

openid scope is bound to the following schemes.

sub，电子邮件，已验证电子邮件，姓名，家庭名称，给定名称，中间名称，昵称，首选用户名，配置文件，图片，网站，性别，生日，区域信息，区域设置，更新日期，电话号码，电话号码已验证，地址，街道

sub, email, email_verified, name, family_name,given_name,middle_name,nickname,preferred_username,profile,picture,website,gender,birthdate,zoneinfo,locale,updated_at,phone_number,phone_number_verified,address,street

(您可以使用/_system/config/oidc在注册表中找到的"oidc"文件进行配置)

(you can configure this using 'oidc' file found in the registry at /_system/config/oidc)

因此，在您的情况下，请通过编辑oidc文件，将自定义声明slotCentreURL，role，slotCentre添加到此范围的映射声明中.

So in your case please add the custom claims slotCentreURL,role, slotCentre into the mapped claims for this scope by editing the oidc file.

或者，您可以添加一个新的范围，例如" customSPScope1 "，其中包含所需的声明，除了强制性的 openid 范围外，还可以在获取OIDC令牌时将其发送.

Alternatively you can add a new scope say 'customSPScope1' with claims that you need, send it when getting the OIDC token in addition to the mandatory openid scope.

您还需要在服务提供商"配置中配置所需的声明.这里的逻辑是仅返回在OIDC范围级别配置的声明和在SP级别配置的声明的交集.

You also need to configure the required claims at Service Provider configuration. The logic here is that only the intersection of claims configured at OIDC scope level and claims configured at SP level are returned.

这篇关于WSO2是:5.2.0中的OpenID Connect自定义声明?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！