Shibboleth IDP for OAuth2

Cantor, Scott cantor.2 at
Tue Aug 9 14:55:26 UTC 2022

If your goal is to use a front channel authorization request that's pure OAuth2 (i.e. without the openid scope and the ID token and all that), then there's a simple answer to that, you can't, it isn't supported yet.

You can add custom scopes all day long, but the message handling on that endpoint is OpenID only right now, so the openid scope has to be there or the Nimbus library should cough it back up.

>    According to the log the error is that no further audience is allowed.

I'm fairly skeptical of that,cI don't see any way it could get that far, the message decoding step should have failed. Admittedly I never actually tried it. If it gets past that point, then we might have been mistaken but I still think there are other steps that will blow up without the openid scope.

>    1. Is there an option/example how to extend the access_token so I can
> include further claims like the email, firstname or affiliation?

Any custom claims that get past the attribute filter and that don't collide with reserved claim names (or that are mapped to other claim names via the registry layer) will be added to the access token if it's in JWT format, that's automatic.

If they're not present, they weren't resolved (or couldn't be resolved on the token endpoint and needed to be embedded in the authorization code instead), or weren't released by the filter.

-- Scott

More information about the users mailing list