By: Thomas W. user 19 Nov 2018 at 8:45 a.m. CST

3 Responses
Thomas W. gravatar
Hello. I am experiencing some issues with returning the address in the standard OpenID Connect claim, ``address``, in the id_token. # The problem I have enabled returning claims in the ``id_token `` by enabling the setting ``Configuration -> JSON Configuration -> oxAuth Configuration -> legacyIdTokenClaims``. However, the address attributes are not returned under the claim ``address`` when using the id_token. They are instead returned under their respective attributes, i.e. ``street_address``, ``postal_code`` and so on. They are, however, correctly returned by the ``oxauth/restv1/userinfo`` endpoint. The OpenID Connect client that I am using for this is set up as follows ``` Persist Client Authorizations: False Pre-Authorization: True Application Type: Web Subject Type: pairwise Include Claims In Id Token: True Logout Session Required: False Grant Types: implicit Scopes: address, email, openid, profile Response Types: token, id_token ``` The ``address`` scope is the default scope provided by Gluu. # Example The difference between id_token claims and the ``oxauth/restv1/userinfo`` is illustrated below. ## /oxauth/restv1/userinfo Requesting the endpoint ``` POST /oxauth/restv1/userinfo Authorization: Bearer <some_token> ``` Returns the following ``` { "address": { "street_address": "Some Street 1", "country": "DK", "locality": "Copenhagen", "postal_code": "0900" }, "sub": "<sub>", "name": "Some Name", "email_verified": false, "email": "test@example.com" } ``` In this case, the address is properly added under the sub-claim (if that is the right term), ``address``. ## id_token Decoding the id_token returned for the same user above produces the following result ``` { "iss": "<iss>", "aud": "<aud>", "exp": <exp>, "iat": <iat>, "nonce": "<nonce>", "auth_time": <auth_time>, "at_hash": "<hash>", "oxOpenIDConnectVersion": "openidconnect-1.0", "postal_code": "0900", "street_address": "Some Street 1", "locality": "Copenhagen", "country": "DK", "address": {}, "name": "Some Name", "email": "test@example.com", "sub": "<sub>" } ``` As can be seen, the address parts are added directly to the JWT as claims, instead of under the ``address`` claim. I notice that the id_token contains a blank/empty ``address`` claim which is where I guess the claims should be. Is it possible that I am missing some setting? I have not been able to find any other information than the fact that the ``legacyIdTokenClaims`` setting should be enabled to return claims in the id_token.

By Michael Schwartz staff 19 Nov 2018 at 8:56 a.m. CST

Michael Schwartz gravatar
That's interesting. I actually think the Userinfo response is wrong. I would think the claims should be the key values. I'll ask one of the developers to commment.

By Thomas W. user 19 Nov 2018 at 9:21 a.m. CST

Thomas W. gravatar
Thanks for the response, Michael. As a quick note, according to the [OpenID Connect specification](https://openid.net/specs/openid-connect-core-1_0.html#AddressClaim), the way it is presented in the ``/userinfo`` response looks like the correct way, to me. Looking forward to hearing more from you.

By Michael Schwartz staff 20 Nov 2018 at 4:24 p.m. CST

Michael Schwartz gravatar
Please track [oxauth-950](https://github.com/GluuFederation/oxAuth/issues/950) for future updates on this.