2

I have set up SP in wso2 Identity server and was able to get access_token in auth2 using playground. Ref : https://docs.wso2.com/display/IS510/OAuth+2.0+with+WSO2+Playground

Then I accessed userinfo endpoint like :

curl -k -H "Authorization: Bearer 603b0a91-0354-3b64-90e9-0eb1fdd8f162" https://localhost:9443/oauth2/userinfo?schema=openid

I always get JSON :

{"sub":"admin@carbon.super"}

But there should also be other properties like first name,last name, email ... etc by default. How do I configure server to return all these information?

P.S tried IS 5.1 and 5.2

Community
  • 1
  • 1
Prabudda Sri Rahal
  • 389
  • 5
  • 21
  • Possible duplicate of [OpenId Connect with wso2 returns only sub claim](http://stackoverflow.com/questions/34889038/openid-connect-with-wso2-returns-only-sub-claim) – Bee Dec 22 '16 at 11:21

2 Answers2

8

It seems the logic to return claims by UserInfo Endpoint for scope openid is only the intersection of claims configure at OIDC file and claims configured in SP level are returned. Based on this logic I was able to solve this problem by following steps.

  1. WSO2 IS default openid scope is bound to set of predefined claims. You can configure this using oidc file found in /_system/config/oidc as in following screenshot. enter image description here
  2. Say for eg. if you want to get user's email address using openId scope by default it should comes with userInfo endpoint because "email" scheme is set-up by default (see above screenshot)
  3. According to default claims

Look at values of Claim Uri and Mapped Attribute of the email claim at http://wso2.org/oidc/claim dialect enter image description here

  1. Now you need to add correct http://wso2.org/claims claim which is mapped to the email claim in http://wso2.org/oidc/claim to the SP configuration. You can find it using same Mapped Attribute. i.e. For this example there is a same "Email" claim in http://wso2.org/claims. enter image description here
  2. Add "Email" claim in http://wso2.org/claims to the SP configuration enter image description here

Now for the request

curl -k -H "Authorization: Bearer 8b2805a7-5b74-33ee-84df-2a8c53a16f6c" https://localhost:9443/oauth2/userinfo?schema=openid

you would get response

{"sub":"admin@carbon.super","email":"admin@wso2.com"}
Prabudda Sri Rahal
  • 389
  • 5
  • 21
  • 1
    I have all the configurations as you mentioned and I am trying to login using facebook as an IDP but I am still getting only sub in the response of userinfo endpoint whereas I am getting email, given_name, and family_name for google and linked in. What could be the issue? We are using WSO2 IS 5.3.0 – Prabakaran Thodithot Sembiyan Dec 28 '17 at 08:28
1

The issue you are facing seems to be reported in [1]. Issue is originally reported for IS 5.1.0 and there were some inconsistencies in 5.2.0 release. According to the jira this will be fixed in 5.3.0 release, which is scheduled to release soon.

[1] https://wso2.org/jira/browse/IDENTITY-4250

Maduranga Siriwardena
  • 1,341
  • 1
  • 13
  • 27