Hydra: oauth2: Custom claims param in /oauth2/auth is ignored

Created on 4 Sep 2018  路  3Comments  路  Source: ory/hydra

Do you want to request a feature or report a bug?
Feature

What is the current behavior?
Hydra doesn't handle custom claims param in /oauth2/auth request. All additional custom claims are present in ID Token by default. Claims param is ignored.

If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem.
Regarding to specification I distinguished 3 cases:
customClaimOfCase1: present in auth request and consent - should be present in ID Token
customClaimOfCase2: present in auth request but not in consent - shouldn't be present in ID Token
customClaimOfCase3: present in consent request but not in auth - shouldn't be present in ID Token

Steps to reproduce:

  1. Follow the 5 minute tutorial, setup hydra.
  2. Add auth-code-client client:
docker exec -it hydra_hydra_1 \
 hydra clients create \
 --endpoint http://localhost:4445 \
 --id auth-code-client \
 --secret secret \
 --grant-types authorization_code,refresh_token \
 --response-types code,id_token \
 --scope openid,offline \
 --callbacks http://127.0.0.1:5555/callback
  1. Setup home route:
docker exec -it hydra_hydra_1 \
 hydra token user \
 --client-id auth-code-client \
 --client-secret secret \
 --endpoint http://localhost:4444/ \
 --port 5555 \
 --scope openid,offline
  1. Open http://127.0.0.1:5555/ in your browser.
  2. Copy url of Authorize application link.
  3. Send GET request based on previous url, remember to add custom claims param on the end of url:
    &claims=%7B%22id_token%22%3A%20%7B%22customClaimOfCase1%22%3A%20null%2C%20%22customClaimOfCase2%22%3A%20null%7D%7D
    so it should look like below:
    http://localhost:4444/oauth2/auth?client_id=auth-code-client&redirect_uri=http%3A%2F%2F127.0.0.1%3A5555%2Fcallback&response_type=code&scope=openid+offline&state=rwscisrcsauiriwepgsfswmo&nonce=ggxjvxgidejnstqsfsvpfogz&prompt=&max_age=0&claims=%7B%22id_token%22%3A%20%7B%22customClaimOfCase1%22%3A%20null%2C%20%22customClaimOfCase2%22%3A%20null%7D%7D
  4. Copy challenge value from response and perform new PUT request:
    http://localhost:4445/oauth2/auth/requests/login/{{challenge}}/accept
    that contains:
{
    "acr": "0",
    "remember": false,
    "remember_for": 0,
    "subject": "[email protected]",
    "force_subject_identifier": "[email protected]"
}
  1. Enter the url that you got as response.
  2. Copy new challenge from response and prepare new PUT request:
    http://localhost:4445/oauth2/auth/requests/consent/{{challenge}}/accept
    that contains:
{
    "grant_scope": ["login","offline","openid"],
    "remember": false,
    "remember_for": 0,
    "session": {
        "access_token": {
            "euid": "123",
            "jti": "69219f38-af68-11e8-96f8-529269fb1459"
        },
        "id_token": {
            "customClaimOfCase1": "shouldBeReturned",
            "customClaimOfCase3": "shouldntBeReturned"
        }
    }
}
  1. Enter the redirect_to URL that you got in response, you should recieve encoded ID Token. After decoding it on https://jwt.io/ you will get something like:
{
    "aud": [
        "auth-code-client"
    ],
    "auth_time": 1535977708,
    "customClaimOfCase1": "shouldBeReturned",
    "customClaimOfCase3": "shouldntBeReturned",
    "exp": 1535981342,
    "iat": 1535977742,
    "iss": "http://localhost:4444/",
    "jti": "b8fe8754-4017-4a6d-a788-c92d358156ae",
    "nonce": "ggxjvxgidejnstqsfsvpfogz",
    "rat": 1535977681,
    "sub": "[email protected]"
}

Expected result:

{
    "aud": [
        "auth-code-client"
    ],
    "auth_time": 1535977708,
    "customClaimOfCase1": "shouldBeReturned",
    "exp": 1535981342,
    "iat": 1535977742,
    "iss": "http://localhost:4444/",
    "jti": "b8fe8754-4017-4a6d-a788-c92d358156ae",
    "nonce": "ggxjvxgidejnstqsfsvpfogz",
    "rat": 1535977681,
    "sub": "[email protected]"
}

What is the expected behavior?
Hydra should handle claims param in /oauth2/auth request and then create ID Token that contains custom claims only those that were requested.

Which version of the software is affected?
v1.0.0-beta.8

feat help wanted packagconsent packagoauth2 packagoidc

All 3 comments

Thank you for the detailed explanation. This is indeed not supported at the moment but should be possible to be added without adding complexity in the consent flow.

The claims request information is passed in the claims request parameter and is available in the consent information returned by https://www.ory.sh/hydra/docs/reference/api/#get-consent-request-information this would allow an idp to parse it and only give the information that is allowed by the user in the AcceptConsentRequest body. Filtering the responses (ID Token and UserInfo endpoint) on the Hydra side would be nice though.

I added claim request support to my IdP PoC at https://git.dittberner.info/jan/hydra_oidc_poc. The resource application requests a claim in a getRequestedClaims function and the consent handler of the IDP part handles the check for requested vs. granted claims in its fillTokenData function. I implemented some helper functions for building the expected JSON structure in a separate package. Feedback is welcome :slightly_smiling_face:

Was this page helpful?
0 / 5 - 0 ratings

Related issues

safurabahrami picture safurabahrami  路  3Comments

drozzy picture drozzy  路  8Comments

aeneasr picture aeneasr  路  3Comments

lpotherat picture lpotherat  路  7Comments

audioXD picture audioXD  路  8Comments