No ID in profile created by OidcProfileCreator

65 views
Skip to first unread message

Norman Lorenz

unread,
May 27, 2024, 5:36:55 AM5/27/24
to Pac4j development mailing list
Hi,

I have a direct header client (using OpenID Connect) like this:

OidcConfiguration config = new OidcConfiguration();
config.setClientId(clientId);
config.setSecret(secret);
config.setDiscoveryURI(discoveryUri);
// additional settings
OidcClient oidcClient = new OidcClient(config);
OidcProfileCreator profileCreator = new OidcProfileCreator(config, oidcClient);
HeaderClient client
new HeaderClient("custom-header", "custom-prefix", profileCreator);

Authentication/ validation of the token works fine. The problem I have is in the OidcProfileCreator. The OidcProfileCreator never sets the ID in the UserProfile. The ID is set when there are OidcCredentials but not when there are TokenCredentials (see OidcProfileCreator.java:118). Why is that? Shouldn't the ID of the UserProfile be set by the JWT subject (sub) as well when there are token credentials?

I am using pac4j 5.7.3. But the profile creator acts the same in the current version.

Kind regards

Jérôme LELEU

unread,
May 28, 2024, 12:11:20 PM5/28/24
to Pac4j development mailing list
Hi,

The OidcProfileCreator assumes that the access token is an opaque identifier, thus it is set as the accessToken property of the profile.
We don't check if it's a JWT with claims.
Thanks.
Best regards,
Jérôme

Norman Lorenz

unread,
May 29, 2024, 3:44:45 AM5/29/24
to Pac4j development mailing list

Hi Jérôme,

Thank you for your response. Upon further investigation, I realized that the sub claim is not directly added to the profile through the access token but via the callUserInfoEndpoint method, where an additional request to the user info endpoint is made. The successful response of this response is then parsed and the claims added to the user profile.

My question is regarding the scenario where the sub claim is retrieved from the user info endpoint but is not set as the ID in the UserProfile. I understand that the OidcProfileCreator assumes the access token is an opaque identifier and doesn't parse it for claims. However, given that the sub claim is available from the user info endpoint, should it not be set as the ID in the profile?

Is there a specific reason why the sub claim from the user info endpoint is not used to set the profile ID, or might this be an oversight? Any further insights would be greatly appreciated.

Best regards,

Norman

Jérôme LELEU

unread,
May 30, 2024, 2:36:30 AM5/30/24
to Norman Lorenz, Pac4j development mailing list
Hi,

OK. I understand now.


Can you test with the version 5.7.6-SNAPSHOT and confirm it works?

Thanks.
Best regards,
Jérôme



--
You received this message because you are subscribed to the Google Groups "Pac4j development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-dev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-dev/509d3471-7b49-4be8-b860-412dd5022884n%40googlegroups.com.

Norman Lorenz

unread,
May 30, 2024, 4:44:14 AM5/30/24
to Pac4j development mailing list

Hi,

thank you for the quick fix.

I have tested the version 5.7.6-SNAPSHOT, and I can confirm that it works as expected. The profile now has an ID.

Thanks again.


Best regards,

Norman

Jérôme LELEU

unread,
May 30, 2024, 7:58:26 AM5/30/24
to Norman Lorenz, Pac4j development mailing list
Hi,

Excellent! The fix has been ported forward to the master branch.
Thanks.
Best regards,
Jérôme


To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-dev/371a4168-fa86-43b9-8973-ae6cbfddfea4n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages