beta oidc extension

Fri Nov 16 16:25:53 EST 2018

>
> I know the error itself has to do with the client-side storage code (I just happen to recognize it as mine), which definitely can't be used for this lookup. I think they implemented "mostly" workable support for doing crypto authz codes that shouldn't require stateful storage but that might not be a default, so perhaps check the docs for any discussion of that, or try looking for a way to point it at in-memory storage for the codes for testing for now.
>

I forgot that the default is cookie sessions.  When I switched to memory 
it worked better.  ( Although now I get the exception on consent record lookup, but that's a separate issue )

Regarding attribute filtering:

If I set this

     <AttributeFilterPolicy id="OPENID_SCOPE_EMAIL">
         <PolicyRequirementRule xsi:type="oidcext:OIDCScope" value="email" />
         <AttributeRule attributeID="email">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
     </AttributeFilterPolicy>

I see email being released on the initial login (shows in the audit log), however when the SP hits the userinfo endpoint email is not released. 
To get email released at userinfo I also need this filter policy

     <AttributeFilterPolicy id="OPENID_urizen">
         PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="urizen"/>
         <AttributeRule attributeID="email">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
     </AttributeFilterPolicy>

So at userinfo it seems that filtering is on the SP's entityID; while at the user's login it is on the scopes.

Don't know if that's how it's supposed to go.

Jim