OIDC: this user can't understand how to generate sub claim

Francesco Malvezzi francesco.malvezzi at unimore.it
Wed Aug 31 10:15:53 UTC 2022 

On 30/08/22 18:35, Cantor, Scott wrote:
> I guarantee you that any AttributeDefinition that encodes to "sub" is not producing any values, or it would work. So from that you can work backward to where the values should be coming from.
> 
>>     The DataConnector for subjectId is the plain DataConnector taken from
>>   the conf/examples/oidc-attribute-resolver.xml
> 
> Sure, but where is it being applied as a dependency?
> 
>>     In this setup uid is defined as:
>>     <AttributeDefinition id="uid" xsi:type="PrincipalName" />
> 
> Fine for testing, of course, but you should never deploy that. This is not an idle comment. I wouldn't even test that way, no matter how "simple" it seems. Subject IDs have to be stable and that could never be stable.
> 
> Anyway, where is "subjectId" actually being fed in as a dependency that will become "sub"?
> 

yes, sure.

Copy/pasted verbatim from conf/examples/oidc-attribute-resolver.xml:

<AttributeDefinition id="subject-public" xsi:type="Scoped" 
scope="%{idp.scope}"
 
activationConditionRef="shibboleth.oidc.Conditions.PublicRequired">
         <InputAttributeDefinition ref="uid" />
         <AttributeEncoder xsi:type="oidc:OIDCScopedString" name="sub" />
     </AttributeDefinition>

     <AttributeDefinition id="subject-pairwise" xsi:type="Scoped" 
scope="%{idp.scope}"
 
activationConditionRef="shibboleth.oidc.Conditions.PairwiseRequired">
         <InputDataConnector ref="computedSubjectId" 
attributeNames="subjectId"/>
         <AttributeEncoder xsi:type="oidc:OIDCScopedString" name="sub" />
     </AttributeDefinition>

     <AttributeDefinition id="subject" xsi:type="Scoped" 
scope="%{idp.scope}"
 
activationConditionRef="shibboleth.oidc.Conditions.SubjectRequired">
         <InputDataConnector ref="computedSubjectId" 
attributeNames="subjectId"/>
         <AttributeEncoder xsi:type="oidc:OIDCScopedString" name="sub" />
     </AttributeDefinition>

if hard to read, also available at: 
https://github.com/francescm/this_user_oidc_conf

Thank you so much,

Francesco

More information about the users mailing list