SSO OIDC - User info - only sub and email claims

mathieu_brule · 3 weeks ago

Hi,

I'm actually facing an issue, while trying to auto provision my users from an OIDC SSO connexion.

Almost everything works fine : authentication, and the user info call, except that the user claims I get are only sub and email, although I would like to get other claims, like given_name, and others...

Below is the configuration of the scopes, from importing well known configuration from my provider, and we can see the scopes I'm calling :

But in logs, I can see that my claims are limited only to sub and email ones.

Still in logs, I can see this line :

AuthorizationURL : https://fca.integ01.dev-agentconnect.fr/api/v2/authorize?scope=email+openid&response_type=code&oauth... on which I can only see email and openid scopes. Maybe my issue comes from this point ?

Could you please help me ?

Naveen20 · 3 weeks ago

The authorization URL is only sending scope=email+openid, so your provider only returns claims associated with those two scopes. There are two things going on here:

1. Scopes aren't selected on the OAuth Entity Profile

Defining scopes on the OAuth Entity Scopes tab just makes them available. You still need to go to the OAuth Entity Profiles tab, open your profile, and explicitly select which scopes that profile should request. If only openid and email are selected there, those are the only ones sent in the authorize URL — which matches exactly what you're seeing in the logs.

2. given_name is a claim, not a scope

This is likely the root cause of your confusion. In the OIDC specification, the standard scopes are openid, profile, email, phone, and address. The given_name claim is returned when you request the profile scope — it's not a scope itself. So instead of defining given_name as a scope, you should define a scope entry with the OAuth Scope value set to profile. That single scope will give you given_name, family_name, name, preferred_username, picture, and other identity claims.

To do:

Replace your scope-3 entry (given_name) with one that has the OAuth Scope value profile. Then go to the OAuth Entity Profiles tab, open your profile, and make sure openid, profile, email, and phone are all selected. After that, your authorization URL should show scope=openid+profile+email+phone, and the userinfo response should include the full set of claims you need for auto-provisioning.

View solution in original post

Naveen20 · 3 weeks ago

The authorization URL is only sending scope=email+openid, so your provider only returns claims associated with those two scopes. There are two things going on here:

1. Scopes aren't selected on the OAuth Entity Profile

Defining scopes on the OAuth Entity Scopes tab just makes them available. You still need to go to the OAuth Entity Profiles tab, open your profile, and explicitly select which scopes that profile should request. If only openid and email are selected there, those are the only ones sent in the authorize URL — which matches exactly what you're seeing in the logs.

2. given_name is a claim, not a scope

This is likely the root cause of your confusion. In the OIDC specification, the standard scopes are openid, profile, email, phone, and address. The given_name claim is returned when you request the profile scope — it's not a scope itself. So instead of defining given_name as a scope, you should define a scope entry with the OAuth Scope value set to profile. That single scope will give you given_name, family_name, name, preferred_username, picture, and other identity claims.

To do:

Replace your scope-3 entry (given_name) with one that has the OAuth Scope value profile. Then go to the OAuth Entity Profiles tab, open your profile, and make sure openid, profile, email, and phone are all selected. After that, your authorization URL should show scope=openid+profile+email+phone, and the userinfo response should include the full set of claims you need for auto-provisioning.

mathieu_brule · 3 weeks ago

Hi @Naveen20

Many thanks 🙂 It works now, I didn't see where to select scopes that should be configured for explicitly askink for the corresponding claims.