OIDC 2.0 config issue
Mohamed Lrhazi
lrhazi at cua.edu
Fri Aug 20 02:38:02 UTC 2021
Hello,
am using shibboleth 4.0.1 and oidc 2.0.0
I have an RP configured and working fine, releasing many attributes. I
needed to add an extra attribute but it would not work. While debugging, I
tried to completely break it by messing up AttributeFilterPolicy as follows:
<AttributeFilterPolicy id="example.com">
<PolicyRequirementRule xsi:type="AND">
<Rule xsi:type="Requester" value="xexample.com" />
<Rule xsi:type="oidcext:OIDCScope" value="xopenid" />
</PolicyRequirementRule>
<AttributeRule attributeID="subject">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="rokmetro_EMPLID">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
...
I added an "x" to cause it to not match anymore.... but the clients still
succeed in getting all the attributes as before! In the log I do see lines
like this for all attributes:
DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:165] -
Attribute filtering engine 'ShibbolethAttributeFilter': no policy permitted
release of attribute rokmetro_EMPLID values
...
Why are attributes released despite these changes?
Thanks,
Mohamed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210819/434ef35f/attachment.htm>
More information about the users
mailing list