OIDC: placeToIDToken replacement in the latest version?

[Wessel, Keith]

Correct, placeToIdToken and denyUserInfo are no longer allowed on attribute definitions. Instead, you set the attributes that should be included in the ID token or not allowed in userinfo in the properties in oidc.properties:

# "Always included" attributes are forced into ID tokens for all response_types
idp.oidc.alwaysIncludedAttributes = myDisplayName,email
# "Denied" attributes are omitted from the UserInfo token
idp.oidc.deniedUserInfoAttributes = some,other,attributes

By default, the only claims that will be placed in the ID token are the standard OIDC reserved claims, and by default every released claim will be allowed in the userinfo. So, you can get back the placeToIdToken behavior by adding the names of those attributes to the first property above.

Keith

From: users <users-bounces at shibboleth.net> On Behalf Of Mohamed Lrhazi
Sent: Wednesday, August 25, 2021 7:56 PM
To: Shib Users <users at shibboleth.net>
Subject: OIDC: placeToIDToken replacement in the latest version?

Hello,

I am trying to recreate an old working config in a new installation using the latest shib idp and OIDC plugin.

How do I add attributes to the response  token? In the previous version I think I had to add the attribute to the attribute definition in attribute-resolve.xml. In the new version am getting:

 shib-idp;idp-process.log;dev;nothing;Caused by: org.xml.sax.SAXParseException: cvc-complex-type.3.2.2: Attribute 'placeToIDToken' is not allowed to appear in element 'AttributeEncoder'.


I also see this in the log:


- DEBUG [net.shibboleth.idp.plugin.oidc.op.profile.impl.AddAttributesToClaimsSet:388] - Profile Action AddAttributesToClaimsSet: Attribute myDisplayName not targeted for ID Token
- DEBUG [net.shibboleth.idp.plugin.oidc.op.profile.impl.AddAttributesToClaimsSet:388] - Profile Action AddAttributesToClaimsSet: Attribute email not targeted for ID Token


Thanks a lot,
Mohamed.