Module OIDC questions

[Bengt Wällstedt]

Hi!

Just implemented the OIDC module on 2 IdP's and although I never worked with OIDC before it was considerably easier than expected and seems to work well! However, I have 2 questions:

1. I can only put values in the sub claim and only one value. I can choose any SAML attribute available and put there but only in sub and only one at a time. I would like to put values in the given_name, family_name and email claims but they don't show up whatever I try. There is not a lot to configure in the module_oidc.config file but nothing happens when I add claims in the OPTION_AUTH_SAML_TO_OIDC_TRANSLATE_TABLE section.

2. I get no logging from the OIDC module except for the authproc piece I included to get attributes. Is it possible to configure a little bit more detailed logging?

[cic...@gmail.com]

Hi Bengt,

how do you "get" claims? Do you use userinfo endpoint or you extract sub from IdToken? Is your clients using "proper scopes" to request claims? For example, the client first has to be "allowed" to use certain scopes (you edit this in the client edit screen, in admin area).

Next, the client has to use those scopes in authorization request for IdP to release mapped claims. Also, your SimpleSAMLphp authentication source has to "provide" user attributes which are mapped to OIDC claims... So, there are a lot of places things can go wrong...

I'm aware that the debug logging is bad in the module. It is on a TODO list for v7 to fix this, and v7 is Work-in-Progress.

If the above doesn't help, feel free to join our SimpleSAMLphp Slack, and ping me there so we can debug this further.

Marko I. 

[Bengt Wällstedt]

Hi! Thanks for replying! As I said I'm new to both the OIDC-module and to OIDC as such, so I might well misunderstand things... I've used SimpleSAMLphp for SAML IdPs for years, though, so I have some experience there. In this case the SAML attributes do not come directly from the authsource (it returns only an id string) but are picked ut by an authproc that does "attributes add from ldap" to get the attributes. This seems to work nice since I can put any one of the added ldap attributes in the sub claim. I tried adding all scopes for test clients and check the result on OpenID Connect Playground. The attribute I use for OPTION_AUTH_USER_IDENTIFIER_ATTRIBUTE always finds its way to sub, unless I activate the 'sub' section in OPTION_AUTH_SAML_TO_OIDC_TRANSLATE_TABLE. If I specify another available attribute that has a value there it ends up in sub in the token. However, sub is the only attribute (claim) that ever ends up in the token. It might be that the email claim actually gets the value of the user's mail attribute but is not included in the token. Or, it might be that the value of attribute mail never is assigned to claim email and thus the claim is omitted from the token. As I said, this is not a problem at all at the moment so no hurry here,  but I'd like to get a better grip on how it works anyway. If it is more convenient we can continue on Slack (new to Slack too...)

Kind regards

Bengt

[cic...@gmail.com]

Ok, so does "OpenID Connect Playground" goes to the "userinfo" endpoint, or it only tries to extract claims from ID Token? If it only shows ID Token claims, than that's where the culprit is, because, the module won't put user claims in ID Token when Access Token is released during the flow (the client should fetch user claims from userinfo endpoint).

Feel free to ping me on Slack if the above is not the case, so we can share config and debug some more...

Marko I. 

[Bengt Wällstedt]

Hi!

Ah, didn't know that! No, Open ID Connect Playground only decodes the JWT and that is where I only find the sub claim. There is no feature for querying the userinfo endpoint anything. Probably it's all there, then, only I have to find a way to query.

Kind regards

Bengt