Problem
Autentico ignores the claims request parameter defined in OIDC Core §5.5. This parameter allows clients to request specific claims in the UserInfo response or ID token, independent of the requested scopes.
Example request:
GET /oauth2/authorize?...&claims={"userinfo":{"name":{"essential":true}}}
The name claim (and any other claims requested this way) are silently ignored. Claims are only returned based on the scope parameter.
Impact
Surfaced as a warning in the OIDC conformance suite (oidcc-test-plan):
WARNING OIDCC-5.5 OIDCC-5.5.1 EnsureUserInfoContainsName: name not found in userinfo
Fix
Parse the claims parameter in pkg/authorize/handler.go, store the requested claims alongside the auth code, and use them in pkg/userinfo/handler.go and pkg/token/generate.go to include the requested claims in the UserInfo response and ID token respectively.
Problem
Autentico ignores the
claimsrequest parameter defined in OIDC Core §5.5. This parameter allows clients to request specific claims in the UserInfo response or ID token, independent of the requested scopes.Example request:
The
nameclaim (and any other claims requested this way) are silently ignored. Claims are only returned based on thescopeparameter.Impact
Surfaced as a warning in the OIDC conformance suite (
oidcc-test-plan):Fix
Parse the
claimsparameter inpkg/authorize/handler.go, store the requested claims alongside the auth code, and use them inpkg/userinfo/handler.goandpkg/token/generate.goto include the requested claims in the UserInfo response and ID token respectively.