By: D S user 12 Sep 2016 at 8:56 a.m. CDT

7 Responses
D S gravatar
Do the claim attributes need to be set as 'Usage Type: OpenID' in order to be retrieved when requesting from userinfo endpoint or can they be set as 'Not defined' and they will still be able to be retrieved? Additionally, does the view type of the attribute need to be set in order to be retrieved from userinfo endpoint?

By Michael Schwartz Account Admin 12 Sep 2016 at 11:48 a.m. CDT

Michael Schwartz gravatar
1. Yes, the attributes must be active. 2. Yes, the scope needs to be type openid. Also, you must explicitly release this scope to the client in question (or make it a default scope available to any dynamically registered client).

By D S user 12 Sep 2016 at 12:19 p.m. CDT

D S gravatar
The attributes within the claim, attributes can be set as 'not defined' - is this okay, or if they are within a claim do they need to be set as 'OpenID' (asking if the attributes within a claim need to have 'openid' set or if they're okay not being defined)? Your answer wasn't particularly clear so apologies for asking again. Does the 'view type' of attributes within a claim need to be set? (e.g. do I need to state that the view type is User, in order for user info endpoint to return claim information)? I have attached the scope to a client that I have created in OpenID - Is this sufficient?

By Aliaksandr Samuseu staff 12 Sep 2016 at 12:36 p.m. CDT

Aliaksandr Samuseu gravatar
Hi, D S. > is this okay, or if they are within a claim do they need to be set as 'OpenID' (asking if the attributes within a claim need to have 'openid' set or if they're okay not being defined)? That's correct, all attributes you wish to release as OpenID claim must be set as "OpenID" using this web UI control. > Does the 'view type' of attributes within a claim need to be set? No, it controls visibility and write permissions for attributes displayed on user's profile page in web UI. It shouldn't affect OIDC flows. >I have attached the scope to a client that I have created in OpenID - Is this sufficient? You set attribute's Usage Type as "OpenID", give it some valid claim name in "oxAuth claim name", then add it to some scope, and permit this scope to be released in your client's registration. You also need to properly configure your client's registration properties to match OIDC flows you'll be using.

By D S user 13 Sep 2016 at 1:54 a.m. CDT

D S gravatar
Thanks for confirming that all attributes within a claim need to be set to 'openID' and not left as 'not defined'. When creating a scope (which will be attached to a client), should the scopetype be set as OpenID also? As on the GLUU docs it's just left as default? When you say, 'permit this scope to be released in your clients registration', I have added the scope to the Client (created the client in GLUU OpenID Client section) - is this sufficient enough? You also need to properly configure your client's registration properties to match OIDC flows you'll be using. < How do we do this?

By Aliaksandr Samuseu staff 13 Sep 2016 at 5:48 a.m. CDT

Aliaksandr Samuseu gravatar
> When you say, 'permit this scope to be released in your clients registration', I have added the scope to the Client (created the client in GLUU OpenID Client section) - is this sufficient enough? Yes. > How do we do this? You will have to read all related specifications and other information on how different OIDC flows operate that is available over the Internet, as well as Gluu's [own documentation](https://www.gluu.org/docs/). If you'll have some specific questions those sources won't be able to answer, you can always ask it here. We also have a variety of support subscription plans you may be interested in if you would like a more involvement from our side. Here are some links which were provided here before: - [OpenID Connect Specs](http://openid.net/connect) - [Basic Client Implementers Guide](http://openid.net/specs/openid-connect-basic-1_0.html) - [Slides from Microsoft](http://wiki.openid.net/w/file/fetch/80030063/OpenID_Connect_Overview_May_5_2014.pdf) - [Great overview from Travis Spencer](http://gluu.co/connect-deep-dive) - [Short overview on OAuth2 v. OpenID Connect](http://gluu.co/oauth2-v-openid-connect) - [New Standards Emerging for HoK Tokens](http://gluu.co/hok-standards) - [Minimalist blog from Nat Sakimura](http://nat.sakimura.org/2012/03/31/openid-connect-stripped-down-to-just-authentication) - [OpenID Connect Audiences](http://www.gluu.co/know-your-audience)

By Aliaksandr Samuseu staff 13 Sep 2016 at 5:49 a.m. CDT

Aliaksandr Samuseu gravatar
>should the scopetype be set as OpenID also? As on the GLUU docs it's just left as default? "Default" or "OpenID" is ok

By Michael Schwartz Account Admin 13 Sep 2016 at 5:54 a.m. CDT

Michael Schwartz gravatar
The client must always request openid scope. It's required by the spec. It's enabled as a default scope in the Gluu Server CE install.