OIDC 2.0 config issue
Mohamed Lrhazi
lrhazi at cua.edu
Fri Aug 20 20:14:11 UTC 2021
Found out my test webapp was sending requests directly to the idp server
and getting load balanced to my production environment...
On Thu, Aug 19, 2021 at 10:38 PM Mohamed Lrhazi <lrhazi at cua.edu> wrote:
> Hello,
>
> am using shibboleth 4.0.1 and oidc 2.0.0
>
> I have an RP configured and working fine, releasing many attributes. I
> needed to add an extra attribute but it would not work. While debugging, I
> tried to completely break it by messing up AttributeFilterPolicy as follows:
>
>
> <AttributeFilterPolicy id="example.com">
> <PolicyRequirementRule xsi:type="AND">
> <Rule xsi:type="Requester" value="xexample.com" />
> <Rule xsi:type="oidcext:OIDCScope" value="xopenid" />
> </PolicyRequirementRule>
> <AttributeRule attributeID="subject">
> <PermitValueRule xsi:type="ANY" />
> </AttributeRule>
> <AttributeRule attributeID="rokmetro_EMPLID">
> <PermitValueRule xsi:type="ANY" />
> </AttributeRule>
> ...
>
> I added an "x" to cause it to not match anymore.... but the clients still
> succeed in getting all the attributes as before! In the log I do see lines
> like this for all attributes:
>
> DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:165] -
> Attribute filtering engine 'ShibbolethAttributeFilter': no policy
> permitted release of attribute rokmetro_EMPLID values
> ...
>
>
> Why are attributes released despite these changes?
>
> Thanks,
> Mohamed.
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210820/1f6ad4bf/attachment.htm>
More information about the users
mailing list