Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inconsistent Claims Between Authentication and Token Endpoint ID Tokens in OIDC Hybrid Flow #22212

Open
aaujayasena opened this issue Jan 8, 2025 · 2 comments
Open

Inconsistent Claims Between Authentication and Token Endpoint ID Tokens in OIDC Hybrid Flow #22212

aaujayasena opened this issue Jan 8, 2025 · 2 comments
Assignees
@Thumimku
Labels
Component/OIDC Priority/Highest QA-Reported Issues reported by a QA Severity/Major Team/API Access Mgt & Authorization Type/Bug

Comments

@aaujayasena
Copy link
Contributor

Description

When using the OIDC hybrid flow there is a discrepancy between the claims in the ID tokens returned by the authentication endpoint and the token endpoint. According to the documentation, the values of common user claims in ID tokens should be identical, and all claims related to the authentication event should be available in both ID tokens [1]. However, the following differences are observed:

Red color content from ID token returned from the authorization endpoint
Green color content is the extended ID token ( Return from Token Endpoint)
image

Observed Differences:

  1. The sid claim is present in the authentication endpoint token but not in the token endpoint token.
  2. The nbf claim is present in the token endpoint token but not in the authentication endpoint token.
  3. user_org claim present in the authentication endpoint token but not in the token endpoint token.

We need to recheck and finalize these differences are accepted.
[1] https://wso2.com/asgardeo/docs/guides/authentication/oidc/implement-oidc-hybrid-flow/
[2]https://openid.net/specs/openid-connect-core-1_0.html#HybridIDTValidation

image

Steps to Reproduce

  1. Login to console create application
  2. Enable hybrid flow
  3. Enable code id_token
  4. Make a authentication request
    ex: https://localhost:9443/oauth2/authorize?response_type=code id_token&client_id=QsBUsTh7yw2wDT4YATkMU4B0OgAa&nonce=ndb&redirect_uri=https://oidcdebugger.com/debug&scope=openid
  5. Retrieve the code and extend the request and retrieve the id_token from the token endpoint
  6. Get the ID token from steps 5 and 4 and compare content

Version

IS 7.1.0-m6

Environment Details (with versions)

No response
@aaujayasena aaujayasena mentioned this issue Jan 8, 2025
Open
@Thumimku
Copy link
Contributor

This is behaviour is same for IS 7.0.0 GA also

@Thumimku Thumimku moved this from Todo to In Progress in Identity Server 7.1.0 Jan 22, 2025
@Thumimku
Copy link
Contributor

As discussed with @aaujayasena , this is not L2 interms of severity. But we have to prioritise this. Please find the following analysis.

The sid claim -> This is a bug we need to fix, cause if the flow is code flow then we can get the sid claim in ID_token.
The nbf claim -> This is an improvement.
user_org claim -> We have to discuss and decide.

CC: @aaujayasena @nilasini @isharak

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Thumimku Thumimku

Labels
Component/OIDC Priority/Highest QA-Reported Issues reported by a QA Severity/Major Team/API Access Mgt & Authorization Type/Bug
Projects
Identity Server 7.1.0
Status: In Progress
Milestone
No milestone
Development

No branches or pull requests
4 participants
@nilasini @Thumimku @aaujayasena @shashimalcse