How to change the value returned in the "sub" claim?

By: Dominique Petitpierre user 23 May 2017 at 6:32 p.m. CDT

4 Responses
Dominique Petitpierre gravatar
Hello, in order to change the value returned in the "sub" claim, the configuration parameter openidSubAttribute was changed (using the administration GUI, Configuration > JSON Configuration > OxAuth Configuration) cf. [https://support.gluu.org/integrations/2014/id_token-doesnt-contain-sub-field/#at5000](https://support.gluu.org/integrations/2014/id_token-doesnt-contain-sub-field/#at5000). The value of the parameter is correctly updated: ``` /opt/symas/bin/ldapsearch -LLL -x -H ldaps://localhost:1636 -D "cn=Directory Manager,o=gluu" -y /tmp/p -b 'ou=configuration,inum=@!4B57.EBDB.CFE7.33C6!0002!B5AC.A8AC,ou=appliances,o=gluu' -s sub -tt 'oxAuthConfDynamic=*' oxAuthConfDynamic dn: ou=oxauth,ou=configuration,inum=@!4B57.EBDB.CFE7.33C6!0002!B5AC.A8AC,ou=ap pliances,o=gluu oxAuthConfDynamic:< file:///tmp/ldapsearch-oxAuthConfDynamic-MxXpHi % aeson-pretty </tmp/ldapsearch-oxAuthConfDynamic-MxXpHi|grep openidSubAttribute "openidSubAttribute": "sn", ``` But even after restarting solserver and oxauth, the value returned in "sub" is still the default one e.g.: ``` {"sub":"E-narVHy_crXEsILFGBuoUCRWSEx6SvE2L3PSGfEwic","updated_at":"20170520021138.823Z","name":"Dominique Petitpierre","given_name":"DOMINIQUE","family_name":"PETITPIERRE"} ``` I tried with a few source values like "uid" and "sn" but without success: the value of sub does not change. - What am I missing? - Is there somewhere a cache to flush? In the default case where openidSubAttribute=inum, the value returned is not in the expected format (e.g. "@!4B57.EBDB.CFE7.33C6!0001!7959.6F19!0000!524B.31AA"): - Is "E-narVHy_crXEsILFGBuoUCRWSEx6SvE2L3PSGfEwic" a transformation of that inum or something else altogether? Thanks in advance for your help!
OS Version : N/A
closed

Answers

By Aliaksandr Samuseu staff 23 May 2017 at 7:48 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Dominique. Please check what is selected for "Subject Type" property of the corresponding OIDC client's registration metadata in web UI. My guess it's "pairwise" which will generate a unique `sub` value for each client according to [this part of spec](http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes) You should try to first change this value to "public", then re-try your flows again.

By Dominique Petitpierre user 23 May 2017 at 9:03 p.m. CDT

Copy
Dominique Petitpierre gravatar
Thanks for your answer! That was the problem: with the client "Subject Type" = "public" the "sub" claim now contains the value of the attribute specified by the openidSubAttribute configuration parameter. No need to restart ldap or oxauth after changing openidSubAttribute. Great! I noticed that if the attribute is multi-valued then sub does not appear in the list of claims. I guess that's to be expected. Thanks again!

By Aliaksandr Samuseu staff 24 May 2017 at 10:13 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
>I noticed that if the attribute is multi-valued then sub does not appear in the list of claims. I guess that's to be expected. Not sure whether it's intended or not. Reassigning to responsible member of the dev team to give a judgement.

By Aliaksandr Samuseu staff 24 May 2017 at 5:09 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Dominique. Per Javier's words, it isn't an issue, it turns out we don't support multi-valued attributes as source for `sub` claim. Closing the ticket as original issue is resolved. Feel free to open a new one in case of further questions.

Post an answer