OIDC: this user can't understand how to generate sub claim

Francesco Malvezzi francesco.malvezzi at unimore.it
Tue Aug 30 16:23:49 UTC 2022


On 29/08/22 19:01, Peter Schober via users wrote:
> * Francesco Malvezzi via users <users at shibboleth.net> [2022-08-29 14:40]:
>>          <InputDataConnector ref="computedSubjectId" attributeNames="subjectId"/>
> [...]
>> According to the logs, the uid attribute is present and released.
> 
> At least in your post you have not provided evidence on the relation
> of the 'uid' attribute (which you say is present) and the configured
> InputDataConnector.
> I'd imagine you're generating the "subjectId" attribute based off
> 'uid' somewhere/somehow but for me this is only an assumption.
> I could also speculate that it could be this connection that's
> missing/misconfigured.
> 
> HTH,
> -peter

thank you for your time and attention.

The DataConnector for subjectId is the plain DataConnector taken from 
the conf/examples/oidc-attribute-resolver.xml

  <!--
     Data Connector for generating 'sub' claim. It may be used to 
generate both
     public and pairwise subject values because it recognizes the OIDC 
sector_id
     if used during client registration.
     -->
         <DataConnector id="computedSubjectId" xsi:type="ComputedId"
           excludeResolutionPhases="c14n/attribute"
             generatedAttributeID="subjectId"
             salt="%{idp.oidc.subject.salt:some_more_salt}"
             algorithm="%{idp.oidc.subject.algorithm:SHA}"
             encoding="BASE32">
         <InputAttributeDefinition 
ref="%{idp.oidc.subject.sourceAttribute:uid}"/>
     </DataConnector>

the declared properties are:

$ grep oidc.subject conf/oidc.properties credentials/secrets.properties

conf/oidc.properties:idp.oidc.subject.sourceAttribute = uid
conf/oidc.properties:idp.oidc.subject.algorithm = SHA
#conf/oidc.properties:idp.oidc.subject.salt = this_too_should_be_ch4ng3d
credentials/secrets.properties:idp.oidc.subject.salt = some_salt_here

credentials/secrets.properties is imported in idp.additionalProperties 
property in conf/idp.properties.

In this setup uid is defined as:
<AttributeDefinition id="uid" xsi:type="PrincipalName" />

(encoding is in conf/attributes/oidc-claim-rules.xml, if needed).

The /conf/attributes-resolver.xml has been removed from the services.xml 
to avoid interferences from the SAML attribute resolution, and the 
attribute resolution checked with the aacli: it works; of course only 
the values from the staticAttributes DataConnector show up.

In another trial, I also tried to short-circuit the subjects' 
definitions with
<InputDataConnector ref="staticAttributes" attributeNames="myuid"/>
instead of invoking the computedSubjectId DataConnector but the outcome 
is the same.

Sorry for the lengthy mail. Thank you for your patience,

Francesco


More information about the users mailing list