wso2 身份服务器 oauth userinfo 仅返回 sub [英] wso2 identity server oauth userinfo only returns sub

问题描述

我已经在 wso2 身份服务器中设置了 SP，并且能够使用 Playground 在 auth2 中获取 access_token.参考:

比如说.如果你想默认使用 openId 范围获取用户的电子邮件地址，它应该带有 userInfo 端点，因为默认设置了电子邮件"方案(见上面的截图)

根据

4. 现在您需要添加映射到电子邮件的正确
5. 将

现在请求

curl -k -H "授权:承载 8b2805a7-5b74-33ee-84df-2a8c53a16f6c" https://localhost:9443/oauth2/userinfo?schema=openid

你会得到回应

{"sub":"admin@carbon.super","email":"admin@wso2.com"}

I have set up SP in wso2 Identity server and was able to get access_token in auth2 using playground. Ref : https://docs.wso2.com/display/IS510/OAuth+2.0+with+WSO2+Playground

Then I accessed userinfo endpoint like :

curl -k -H "Authorization: Bearer 603b0a91-0354-3b64-90e9-0eb1fdd8f162" https://localhost:9443/oauth2/userinfo?schema=openid

I always get JSON :

{"sub":"admin@carbon.super"}

But there should also be other properties like first name,last name, email ... etc by default. How do I configure server to return all these information?

P.S tried IS 5.1 and 5.2

解决方案

It seems the logic to return claims by UserInfo Endpoint for scope openid is only the intersection of claims configure at OIDC file and claims configured in SP level are returned. Based on this logic I was able to solve this problem by following steps.

1. WSO2 IS default openid scope is bound to set of predefined claims. You can configure this using oidc file found in /_system/config/oidc as in following screenshot.
2. Say for eg. if you want to get user's email address using openId scope by default it should comes with userInfo endpoint because "email" scheme is set-up by default (see above screenshot)
3. According to default claims
   • http://wso2.org/claims - Default dialect for WSO2 Carbon
   • http://wso2.org/oidc/claim - Default dialect for OpenID Connect

Look at values of Claim Uri and Mapped Attribute of the email claim at http://wso2.org/oidc/claim dialect

4. Now you need to add correct http://wso2.org/claims claim which is mapped to the email claim in http://wso2.org/oidc/claim to the SP configuration. You can find it using same Mapped Attribute. i.e. For this example there is a same "Email" claim in http://wso2.org/claims.
5. Add "Email" claim in http://wso2.org/claims to the SP configuration

Now for the request

curl -k -H "Authorization: Bearer 8b2805a7-5b74-33ee-84df-2a8c53a16f6c" https://localhost:9443/oauth2/userinfo?schema=openid

you would get response

{"sub":"admin@carbon.super","email":"admin@wso2.com"}

这篇关于wso2 身份服务器 oauth userinfo 仅返回 sub的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！