OIDC: this user can't understand how to generate sub claim
Francesco Malvezzi
francesco.malvezzi at unimore.it
Mon Aug 29 12:40:29 UTC 2022
hi all,
I'm a bit lost making sense of this error:
2022-08-29 14:13:02,147 - DEBUG
[net.shibboleth.idp.plugin.oidc.op.profile.logic.AttributeResolutionSubjectLookupFunction:140]
- Searching for 'sub' claim among encodeable attributes
2022-08-29 14:13:02,147 - WARN
[net.shibboleth.idp.plugin.oidc.op.profile.logic.AttributeResolutionSubjectLookupFunction:182]
- Unable to produce a viable 'sub' claim
2022-08-29 14:13:02,148 - ERROR
[net.shibboleth.idp.plugin.oidc.op.profile.impl.SetSubjectToResponseContext:86]
- Profile Action SetSubjectToResponseContext: Subject may not be null
The sub definition(s) is in the
conf/examples/oidc-attribute-resolver.xml file: the
<AttributeDefinition id="subject" xsi:type="Scoped" scope="%{idp.scope}"
activationConditionRef="shibboleth.oidc.Conditions.SubjectRequired">
<InputDataConnector ref="computedSubjectId"
attributeNames="subjectId"/>
<AttributeEncoder xsi:type="oidc:OIDCScopedString" name="sub" />
</AttributeDefinition>
decommented (so all of them are active -- three in all).
According to the logs, the uid attribute is present and released.
In the logs I wasn't able to find hints whether the activation
conditions wired on the sub definitions resolve true or not, but
deleting them doesn't make any difference.
I wouldn't blame the attribute filter (the default taken from the
example folder) because the client has the openid scope and actually the
failure looks coming from the attribute resolver's phase.
I am aware i did a stupid mistake of my own. If you could suggest more
tests I would be very very thankful,
thank you so much,
Francesco
More information about the users
mailing list