Attributes within an OpenID Client token

By: A B user 07 Sep 2016 at 5:51 a.m. CDT

10 Responses
A B gravatar
Created a claim (with several customized attributes), attached it to a scope. Where are the attributes from that claim/scope kept in the token? Where can I find them?
Rhel67
closed

Answers

By Aliaksandr Samuseu staff 07 Sep 2016 at 6:25 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi. They should be either within token, or they may be requested from userinfo endpoint, according to standard flows described in [OpenID core spec](http://openid.net/specs/openid-connect-core-1_0.html). Please check this doc whenever your are in doubt, Gluu tries to follow it to the letter.

By A B user 07 Sep 2016 at 6:31 a.m. CDT

Copy
A B gravatar
Hi, How do I see the token?

By Aliaksandr Samuseu staff 07 Sep 2016 at 6:34 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
id token will be passed back to RP in url. So if you don't control RP, you could just grab it from there. Then you can use [this tool](https://jwt.io/) to decode it.

By A B user 07 Sep 2016 at 6:36 a.m. CDT

Copy
A B gravatar
Are claim attributes within a scope meant to be part of the OpenID_Token? Are they meant to be displayed because they aren't?

By Aliaksandr Samuseu staff 07 Sep 2016 at 6:41 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Sorry, must correct myself: this will only happen for implicit and some of hybrid flows. In authz code flow id_token is requested by client (RP) from token endpoint. To see it, unless you control RP, you must capture HTTP traffic going into/out your Gluu instance.

By Aliaksandr Samuseu staff 07 Sep 2016 at 6:47 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
>Are claim attributes within a scope meant to be part of the OpenID_Token? Are they meant to be displayed because they aren't? Unless spec says they must be in it, you shouldn't rely on that. Until you still can request them from userinfo endpoint everything is working as expected.

By Aliaksandr Samuseu staff 07 Sep 2016 at 6:54 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Please check [this section](http://openid.net/specs/openid-connect-core-1_0.html#IDToken). Everything marked as "required" must be in it. Everything else is not guaranteed to be.

By A B user 07 Sep 2016 at 8:22 a.m. CDT

Copy
A B gravatar
Do you have sample code for requesting attributes from userinfo endpoint please?

By Aliaksandr Samuseu staff 12 Sep 2016 at 8:03 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Please check [this ticket](https://support.gluu.org/identity-management/token-3213/#at14655) for answers to the last question.

By Sahil Arora user 12 Sep 2016 at 8:08 a.m. CDT

Copy
Sahil Arora gravatar
There is good test in oxauth-client to show how to do that: https://github.com/GluuFederation/oxAuth/blob/master/Client/src/test/java/org/xdi/oxauth/ws/rs/UserInfoRestWebServiceHttpTest.java Please take a look on various methods per your requirement

Post an answer