1

Anyone know why if I make a call to /userinfo endpoint I obtain different JSON response? Specifically:

  • When I make a call with curl from command line, like $curl -k -H "Authorization: Bearer 2bcea7cc9d7e4b63fd2257aa31116512" https://localhost:9443/oauth2/userinfo?schema=openid I obtain as response the JSON: {"sub":"asela","name":"asela","preferred_username":"asela","given_name":"asela","family_name":"asela"}
  • If I make the call with a java client (a library that implement the Authorization Code Flow), when the client make the /userinfo call I have as response a JSON like {"sub":"asela@carbon"} without all other claims.

The claims for the service defined in WSO2 IS are the default ones. Thanks for any help.

Community
  • 1
  • 1
giovanni
  • 105
  • 12

2 Answers2

2

I have tried this and got the same issue that you have faced. As I have mentioned in my previous comment, the issue occurs due to the claim mapping issue. Normally we get the user's attributes from the “http://wso2.org/claims” dialect. But when we call to OpenID userInfo endpoint, it will provide the user's attributes from “http://wso2.org/oidc/claim”. But all the claims in http://wso2.org/claims are not defined in http://wso2.org/oidc/claim. (Ex:Mobile, Address, Organization). So we have to define those required claims on http://wso2.org/oidc/claim dialect, if it is not defined.

You can check this claims from Identity Server Management console. To do this, Log into ManagementConsole > Main > List (under Claims)
Then you can go though the two claim dialects and add required claims to http://wso2.org/oidc/claim dialect.

To add new claim, Goto ManagementConsile > Main > Add(under Claims) > Add new claim. See the attached screen shot of defining a sample claim. Here you need to map the exact Mapped Attribute & Claim Uri with the http://wso2.org/claims.

enter image description here

Hope this will helpful.

Shanaka Weerasinghe
  • 86
  • 4
  • thanks for your reply @Shanaka, I've check in my `claim-config.xml`, but I see that the **"http://wso2.org/oidc/claim"** is well defined and already contains the claims that I receive as Json response when I call **/userinfo** endpoint with `curl`. It's possible that when I make the Auth Code Flow with java client the **/userinfo** endpoint response with a claim not defined in `claim-config.xml` ? This because in `claim-config.xml` I found only 1 definition for **"Subject/sub"** claim, in **"http://wso2.org/oidc/claim"** dialect. – giovanni Jan 25 '16 at 10:19
0

WSO2 IS normally returns the claims that are configured under the “http://wso2.org/oidc/claim” claim dialect. But the claim in the response should return normally. So make sure you have defined claim values in the user's profile.
You can follow [1] & [2] for more details about this. Still you couldn't get the correct response, please attached your SP configurations and claim configurations for further analyze.

[1] http://xacmlinfo.org/2015/03/09/openid-connect-support-with-resource-owner-password-grant-type/
[2] http://shanakaweerasinghe.blogspot.com/2016/01/get-user-profile-for-oauth-token-using.html

Shanaka Weerasinghe
  • 86
  • 4
  • I verify @Shanaka, but the claims defined under `http://wso2.org/oidc/claim` are the ones I received in Json with **curl** client, my question is why if I make the call with the java client I obtain a different set of claims (only one, the **sub**) and the values for this claim are different changing the clients. – giovanni Jan 21 '16 at 10:41
  • Hi giovanni, Sometimes this will be fixed, if we map http://wso2.org/oidc/claim with (default claims)http://wso2.org/claim. I'll check this and update you ASAP. – Shanaka Weerasinghe Jan 21 '16 at 18:42