Authorize-endpoit may unnecessarily include claims in id_token in hybrid OIDC flow
Basics
Logistics
Basics
Logistics
Description
Environment
None
Activity
Show:
Henri Mikkonen May 21, 2021 at 11:42 AM
addToIDTokenByDefault is now set to true only when response_type=id_token (i.e. implicit flow without access token being issued.)
Fixed
Pinned fields
Click on the next to a field label to start pinning.
Created May 21, 2021 at 11:38 AM
Updated February 1, 2022 at 3:24 PM
Resolved May 21, 2021 at 11:42 AM
The *AddAttributesToClaimsSet* -bean for oidc/authorize -flow is activated whenever the requested response_types contain *id_token*. The bean itself sets its internal addToIDTokenByDefault -variable to be true if the requested response_types did not contain *token*. This means that it's set to *true* if response_types contained both *id_token and code* (but not token).
That is a bug, as per OpenID Connect Core section 5.4, 'The Claims requested by the profile, email, address, and phone scope values are returned from the UserInfo Endpoint', except for response_type=id_token, where they are returned in the id_token (as there is no access token issued that could be used to access the userinfo endpoint).
The _addToIDTokenByDefault_ -variable should only be set to true when response_type=id_token, not in any other cases.