By: Dominique Petitpierre user 12 Mar 2018 at 9:23 a.m. CDT

6 Responses
Dominique Petitpierre gravatar
Hello, for the same access_token the ```userinfo``` and ```introspection``` end points return different ```sub``` attribute values: - Why? For example: userinfo: ``` { "sub": "12345@example.com", "user_name": "12345", "updated_at": 1520434937192, "name": "Test User", "given_name": "Test", "family_name": "User", "email_verified": false, "email": "Test.User@example.com" } ``` Introspection: ``` { "active": false, "scopes": [ "openid", "user_name", "profile", "uma_protection", "email" ], "client_id": "@!0546.66BE.DE94.F1FF!0001!C673.197E!0008!206F.0FAB.9CDB.1D4E", "username": "Test User", "token_type": "bearer", "exp": 1520861679, "iat": 1520861379, "sub": "12345", "aud": "@!0546.66BE.DE94.F1FF!0001!C673.197E!0008!206F.0FAB.9CDB.1D4E", "iss": "https://oidc.example.com", "jti": null, "acr_values": null } ``` The ```introspection``` ```sub``` value is not the one specified by ```openidSubAttribute``` (in fact here it is the same as the ```user_name``` claim value). - Is this a bug? - If yes, is there a patch for 3.1.2? - If not what should be done so that the ```userinfo``` and the ```introspection``` endpoints return the same ```sub``` value as specified by the configuration parameter ```openidSubAttribute```? Also, is it possible to change the ```introspection``` ```username``` attribute value to something else than the ```name``` claim value? Thanks in advance for your help in this matter!

By Aliaksandr Samuseu staff 12 Mar 2018 at 9:36 a.m. CDT

Aliaksandr Samuseu gravatar
Hi, Dominique. >The introspection sub value is not the one specified by openidSubAttribut Which attribute did you specify then? Is it email?

By Dominique Petitpierre user 12 Mar 2018 at 10:07 a.m. CDT

Dominique Petitpierre gravatar
Hello Aliaksandr, Thanks for your post! It is a custom attribute which is suffixed with the domain and guarantied unique. But this is irrelevant: The value is correct in the ```sub``` attribute returned by the ```userinfo``` end point, and is different in the ```sub``` attribute returned by the ```introspection``` end point. - Shouldn't they be the same?

By Dominique Petitpierre user 12 Mar 2018 at 11:53 a.m. CDT

Dominique Petitpierre gravatar
Post Scriptum: In one test the client was not configured with ```Subject Type: public``` but ```Subject Type: pairwise```: then the ```userinfo``` end point ```sub``` value was a long arbitrary identifier [1], but the ```introspection``` end point ```sub``` value was the same as the ```user_name``` claim value (just like above). Again, I would have expected the two ```sub``` values to be the same! [1] 4127 [How to change the value returned in the "sub" claim?](https://support.gluu.org/customization/4127/how-to-change-the-value-returned-in-the-sub-claim/)

By Aliaksandr Samuseu staff 12 Mar 2018 at 12:04 p.m. CDT

Aliaksandr Samuseu gravatar
Thank you for reporting this, Dominique. I'll try to reproduce it, then will reach to the dev team if it's confirmed.

By Mohib Zico staff 21 Mar 2018 at 5:40 a.m. CDT

Mohib Zico gravatar
Alex, Please feel free to open a github issue if required and please don't forget to let Dominique know the link. We will keep tracking that github issue.

By Aliaksandr Samuseu staff 22 Mar 2018 at 9:37 p.m. CDT

Aliaksandr Samuseu gravatar
Hi, Dominique and Zico. I've created a bug report [here](https://github.com/GluuFederation/oxAuth/issues/770). You can monitor its status there.