OIDC: placeToIDToken replacement in the latest version?

Mohamed Lrhazi lrhazi at cua.edu
Thu Aug 26 03:07:14 UTC 2021 

Works as advertised . Thank you!

On Wed, Aug 25, 2021 at 10:00 PM Wessel, Keith <kwessel at illinois.edu> wrote:

> Correct, placeToIdToken and denyUserInfo are no longer allowed on
> attribute definitions. Instead, you set the attributes that should be
> included in the ID token or not allowed in userinfo in the properties in
> oidc.properties:
>
> # "Always included" attributes are forced into ID tokens for all
> response_types
> idp.oidc.alwaysIncludedAttributes = myDisplayName,email
> # "Denied" attributes are omitted from the UserInfo token
> idp.oidc.deniedUserInfoAttributes = some,other,attributes
>
> By default, the only claims that will be placed in the ID token are the
> standard OIDC reserved claims, and by default every released claim will be
> allowed in the userinfo. So, you can get back the placeToIdToken behavior
> by adding the names of those attributes to the first property above.
>
> Keith
>
> From: users <users-bounces at shibboleth.net> On Behalf Of Mohamed Lrhazi
> Sent: Wednesday, August 25, 2021 7:56 PM
> To: Shib Users <users at shibboleth.net>
> Subject: OIDC: placeToIDToken replacement in the latest version?
>
> Hello,
>
> I am trying to recreate an old working config in a new installation using
> the latest shib idp and OIDC plugin.
>
> How do I add attributes to the response  token? In the previous version I
> think I had to add the attribute to the attribute definition in
> attribute-resolve.xml. In the new version am getting:
>
>  shib-idp;idp-process.log;dev;nothing;Caused by:
> org.xml.sax.SAXParseException: cvc-complex-type.3.2.2: Attribute
> 'placeToIDToken' is not allowed to appear in element 'AttributeEncoder'.
>
>
> I also see this in the log:
>
>
> - DEBUG
> [net.shibboleth.idp.plugin.oidc.op.profile.impl.AddAttributesToClaimsSet:388]
> - Profile Action AddAttributesToClaimsSet: Attribute myDisplayName not
> targeted for ID Token
> - DEBUG
> [net.shibboleth.idp.plugin.oidc.op.profile.impl.AddAttributesToClaimsSet:388]
> - Profile Action AddAttributesToClaimsSet: Attribute email not targeted for
> ID Token
>
>
> Thanks a lot,
> Mohamed.
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210825/8f2defd2/attachment.htm>

More information about the users mailing list