Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
fsakiyama Absent Member.
Absent Member.
2824 views

How to get user info from OpenId Id token?

Hi,

I'm trying to use the Id Token, and i want to put some user information inside the Id Token.
Unfortunately, i don't know how to do that.

I'm using NetIq Playground to test, and this is what i'm getting using the 'open id' profile:

Access Token :
/wEBAAkJACA...
Expires : 10799
Token Type : bearer

Refresh Token :
/wEBAAICACAZa...

ID Token( OpenID Connect 😞
eyJhbGciOiJub25lIn0....
ID Token(decoded) : {

{
"iss": "https://myidp.com.br/nidp/oauth/nam",
"sub": "8f918904f7033e448ffbd77562e72f33",
"aud": "82522692-6298-4650-b29f-17e8fa899a44",
"exp": 8516204333,
"iat": 8516193533,
"acr": {
"values": [
"name/password/uri"
]
}
}

I'm trying to put for example a name on Id Token:

ID Token(decoded) : {

{
"iss": "https://myidp.com.br/nidp/oauth/nam",
"sub": "8f918904f7033e448ffbd77562e72f33",
"aud": "82522692-6298-4650-b29f-17e8fa899a44",
"exp": 8516204333,
"iat": 8516193533,
"name": fsakiyama
"acr": {
"values": [
"name/password/uri"
]
}
}

How can i do that?

Thanks in advance!
Tags (2)
0 Likes
13 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: How to get user info from OpenId Id token?

On 18-01-2018 12:04 AM, fsakiyama wrote:
>
> Hi,
>
> I'm trying to use the Id Token, and i want to put some user information
> inside the Id Token.
> Unfortunately, i don't know how to do that.
>
> I'm using NetIq Playground to test, and this is what i'm getting using
> the 'open id' profile:
>
> Access Token :
> /wEBAAkJACA...
> Expires : 10799
> Token Type : bearer
>
> Refresh Token :
> /wEBAAICACAZa...
>
> ID Token( OpenID Connect 😞
> eyJhbGciOiJub25lIn0....
> ID Token(decoded) : {
>
> {
> "iss": "https://myidp.com.br/nidp/oauth/nam",
> "sub": "8f918904f7033e448ffbd77562e72f33",
> "aud": "82522692-6298-4650-b29f-17e8fa899a44",
> "exp": 8516204333,
> "iat": 8516193533,
> "acr": {
> "values": [
> "name/password/uri"
> ]
> }
> }
>
> I'm trying to put for example a name on Id Token:
>
> ID Token(decoded) : {
>
> {
> "iss": "https://myidp.com.br/nidp/oauth/nam",
> "sub": "8f918904f7033e448ffbd77562e72f33",
> "aud": "82522692-6298-4650-b29f-17e8fa899a44",
> "exp": 8516204333,
> "iat": 8516193533,
> "name": fsakiyama
> "acr": {
> "values": [
> "name/password/uri"
> ]
> }
> }
>
> How can i do that?
>
> Thanks in advance!


You don't really get it from the id token. You can add additional attributes in the access token by assigning a attribute set to scope under the
resource server. If you want to send unecrypted access tokens you have to select that on the resource server as an option and add it in the string
like &ResourceServer=<whatEverYouWantToCallIt>




--
Cheers,
Edward
0 Likes
fabiosakiyama Absent Member.
Absent Member.

Re: How to get user info from OpenId Id token?

edmaa;2473834 wrote:
On 18-01-2018 12:04 AM, fsakiyama wrote:
>
> Hi,
>
> I'm trying to use the Id Token, and i want to put some user information
> inside the Id Token.
> Unfortunately, i don't know how to do that.
>
> I'm using NetIq Playground to test, and this is what i'm getting using
> the 'open id' profile:
>
> Access Token :
> /wEBAAkJACA...
> Expires : 10799
> Token Type : bearer
>
> Refresh Token :
> /wEBAAICACAZa...
>
> ID Token( OpenID Connect 😞
> eyJhbGciOiJub25lIn0....
> ID Token(decoded) : {
>
> {
> "iss": "https://myidp.com.br/nidp/oauth/nam",
> "sub": "8f918904f7033e448ffbd77562e72f33",
> "aud": "82522692-6298-4650-b29f-17e8fa899a44",
> "exp": 8516204333,
> "iat": 8516193533,
> "acr": {
> "values": [
> "name/password/uri"
> ]
> }
> }
>
> I'm trying to put for example a name on Id Token:
>
> ID Token(decoded) : {
>
> {
> "iss": "https://myidp.com.br/nidp/oauth/nam",
> "sub": "8f918904f7033e448ffbd77562e72f33",
> "aud": "82522692-6298-4650-b29f-17e8fa899a44",
> "exp": 8516204333,
> "iat": 8516193533,
> "name": fsakiyama
> "acr": {
> "values": [
> "name/password/uri"
> ]
> }
> }
>
> How can i do that?
>
> Thanks in advance!


You don't really get it from the id token. You can add additional attributes in the access token by assigning a attribute set to scope under the
resource server. If you want to send unecrypted access tokens you have to select that on the resource server as an option and add it in the string
like &ResourceServer=<whatEverYouWantToCallIt>




--
Cheers,
Edward


Hi Edward,

Thanks for the answer!

Since the access_token doesn't contain user info, i thought that openId token would provide that. That was my understanding after reading some links like this:
https://www.netiq.com/communities/cool-solutions/openid-connect-nam-identity-server-oauth2-playground/

OpenID Connect:

This is built upon Oauth2 protocol. It is mechanism to add Identity layer with Oauth2 authorization flow.

OpenID Connect frame works provides “ID Token” in addition to OAuth2 access token. This token contains information of user who authenticated with identity provider. This token also can contain trusted issuer information, where this information can be used to validate data integrity that information is not modified at transport layer.


What does it mean when it says ''this token contains information of user''?
Isn't there a way to get user information without having to hit the userInfo endpoint passing the access token?

Thanks in advance!
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: How to get user info from OpenId Id token?

On 19-01-2018 9:16 PM, fabiosakiyama wrote:
>


>
> Hi Edward,
>
> Thanks for the answer!
>
> Since the access_token doesn't contain user info, i thought that openId
> token would provide that. That was my understanding after reading some
> links like this:
> https://www.netiq.com/communities/cool-solutions/openid-connect-nam-identity-server-oauth2-playground/
>
>> OpenID Connect:
>>
>> This is built upon Oauth2 protocol. It is mechanism to add Identity
>> layer with Oauth2 authorization flow.
>>
>> OpenID Connect frame works provides �ID Token� in addition to OAuth2
>> access token. This token contains* information of user* who
>> authenticated with identity provider. This token also can contain
>> trusted issuer information, where this information can be used to
>> validate data integrity that information is not modified at transport
>> layer.

>
> What does it mean when it says ''this token contains information of
> user''?
> Isn't there a way to get user information without having to hit the
> userInfo endpoint passing the access token?
>
> Thanks in advance!


So the id token does contain a subject but its nidsguid i believe which doesn't make much sense to a recipient to be honest and you can't add
additional info to it. If you want add additional info to a token you can only do that to the access token (on 4.4 and later). The only other thing
you can really do if you want to use the id token is use the access token to request the scope and then map the subject from the id token to a
username returned in the scope.


--
Cheers,
Edward
0 Likes
fabiosakiyama Absent Member.
Absent Member.

Re: How to get user info from OpenId Id token?

edmaa;2473845 wrote:
On 19-01-2018 9:16 PM, fabiosakiyama wrote:
>


>
> Hi Edward,
>
> Thanks for the answer!
>
> Since the access_token doesn't contain user info, i thought that openId
> token would provide that. That was my understanding after reading some
> links like this:
> https://www.netiq.com/communities/cool-solutions/openid-connect-nam-identity-server-oauth2-playground/
>
>> OpenID Connect:
>>
>> This is built upon Oauth2 protocol. It is mechanism to add Identity
>> layer with Oauth2 authorization flow.
>>
>> OpenID Connect frame works provides �ID Token� in addition to OAuth2
>> access token. This token contains* information of user* who
>> authenticated with identity provider. This token also can contain
>> trusted issuer information, where this information can be used to
>> validate data integrity that information is not modified at transport
>> layer.

>
> What does it mean when it says ''this token contains information of
> user''?
> Isn't there a way to get user information without having to hit the
> userInfo endpoint passing the access token?
>
> Thanks in advance!


So the id token does contain a subject but its nidsguid i believe which doesn't make much sense to a recipient to be honest and you can't add
additional info to it. If you want add additional info to a token you can only do that to the access token (on 4.4 and later). The only other thing
you can really do if you want to use the id token is use the access token to request the scope and then map the subject from the id token to a
username returned in the scope.


--
Cheers,
Edward



Hi Edward,

I'm sorry, but i'm struggling to understand the use of the id token 😞
If i cannot add user information inside the id token (in order to avoid to request from userinfo with access_token), why should one use id_token?

Thanks in advance!
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: How to get user info from OpenId Id token?

On 27-01-2018 4:04 AM, fabiosakiyama wrote:
>
> I'm sorry, but i'm struggling to understand the use of the id token 😞
> If i cannot add user information inside the id token (in order to avoid
> to request from userinfo with access_token), why should one use
> id_token?


Good question, and i don't really have a good answer for that.


--
Cheers,
Edward
0 Likes
kevinmsrs Absent Member.
Absent Member.

Re: How to get user info from OpenId Id token?

fabiosakiyama;2474323 wrote:
Hi Edward,

I'm sorry, but i'm struggling to understand the use of the id token 😞
If i cannot add user information inside the id token (in order to avoid to request from userinfo with access_token), why should one use id_token?

Thanks in advance!


I also thought that the id_token returns user information. Here is the exmaple from the OpenID spec documentation (https://openid.net/specs/openid-connect-core-1_0.html#id_token-tokenExample).

 {
"iss": "http://server.example.com",
"sub": "248289761001",
"aud": "s6BhdRkqt3",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
"iat": 1311280970,
"name": "Jane Doe",
"given_name": "Jane",
"family_name": "Doe",
"gender": "female",
"birthdate": "0000-10-31",
"email": "janedoe@example.com",
"picture": "http://example.com/janedoe/me.jpg"
}


I am running into issues as the application I'm trying to provision is trying to pull the "email" claim from the id_token but fails.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: How to get user info from OpenId Id token?

On 06-03-2018 4:34 AM, kevinmsrs wrote:
>
> fabiosakiyama;2474323 Wrote:
>> Hi Edward,
>>
>> I'm sorry, but i'm struggling to understand the use of the id token 😞
>> If i cannot add user information inside the id token (in order to avoid
>> to request from userinfo with access_token), why should one use
>> id_token?
>>
>> Thanks in advance!

>
> I also thought that the id_token returns user information. Here is the
> exmaple from the OpenID spec documentation
> (https://openid.net/specs/openid-connect-core-1_0.html#id_token-tokenExample).
>
>
> Code:
> --------------------
> {
> "iss": "http://server.example.com",
> "sub": "248289761001",
> "aud": "s6BhdRkqt3",
> "nonce": "n-0S6_WzA2Mj",
> "exp": 1311281970,
> "iat": 1311280970,
> "name": "Jane Doe",
> "given_name": "Jane",
> "family_name": "Doe",
> "gender": "female",
> "birthdate": "0000-10-31",
> "email": "janedoe@example.com",
> "picture": "http://example.com/janedoe/me.jpg"
> }
> --------------------
>
>
> I am running into issues as the application I'm trying to provision is
> trying to pull the "email" claim from the id_token but fails.
>
>


You can extend the access token as that is also in JWT format since 4.4. If that fails all i can suggest to open a SR which probably will lead to NTS
suggesting to raise an enhancement request.

--
Cheers,
Edward
0 Likes
cnrossi Absent Member.
Absent Member.

Re: How to get user info from OpenId Id token?

Do you know how to parse/decrypt the Access Token to get that values ? Even when I disable the token encryption it seems to be encrypted. I tried to decode it in jwt.io it doesn't show the payload

edmaa;2476639 wrote:
On 06-03-2018 4:34 AM, kevinmsrs wrote:
>
> fabiosakiyama;2474323 Wrote:
>> Hi Edward,
>>
>> I'm sorry, but i'm struggling to understand the use of the id token 😞
>> If i cannot add user information inside the id token (in order to avoid
>> to request from userinfo with access_token), why should one use
>> id_token?
>>
>> Thanks in advance!

>
> I also thought that the id_token returns user information. Here is the
> exmaple from the OpenID spec documentation
> (https://openid.net/specs/openid-connect-core-1_0.html#id_token-tokenExample).
>
>
> Code:
> --------------------
> {
> "iss": "http://server.example.com",
> "sub": "248289761001",
> "aud": "s6BhdRkqt3",
> "nonce": "n-0S6_WzA2Mj",
> "exp": 1311281970,
> "iat": 1311280970,
> "name": "Jane Doe",
> "given_name": "Jane",
> "family_name": "Doe",
> "gender": "female",
> "birthdate": "0000-10-31",
> "email": "janedoe@example.com",
> "picture": "http://example.com/janedoe/me.jpg"
> }
> --------------------
>
>
> I am running into issues as the application I'm trying to provision is
> trying to pull the "email" claim from the id_token but fails.
>
>


You can extend the access token as that is also in JWT format since 4.4. If that fails all i can suggest to open a SR which probably will lead to NTS
suggesting to raise an enhancement request.

--
Cheers,
Edward
0 Likes
cnrossi Absent Member.
Absent Member.

Re: How to get user info from OpenId Id token?

Sorry, it is documented here: https://www.netiq.com/documentation/access-manager-44-appliance/admin/data/b1dj6b2f.html#encrypting-access-token

Encrypting the Token with Access Manager Key#
If you want the resource server to contact the authorization server for validating an OAuth token, you can encrypt the token by using Access Manager keys. This is the default encryption method.

Access Manager encrypts the token by using a random symmetric key, then the encrypted token is signed by using an Access Manager public key. When resource server consumes the access token, it requests Identity Server to validate the token.

Encrypting the Token with Resource server Key#
If you want the resource server to decrypt and validate the OAuth token, you can encrypt the token by using resource server key.

I don't know why MF use the access_token as the id_token. If the user claims/scopes are attached to the access_token and it can be also signed and encrypted, why should I need an ID_TOKEN or OIDC ?
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: How to get user info from OpenId Id token?

On 28-07-2018 6:54 AM, cnrossi wrote:
>
> Sorry, it is documented here:
> https://www.netiq.com/documentation/access-manager-44-appliance/admin/data/b1dj6b2f.html#encrypting-access-token
>
> Encrypting the Token with Access Manager Key#
> If you want the resource server to contact the authorization server for
> validating an OAuth token, you can encrypt the token by using Access
> Manager keys. This is the default encryption method.


You can get unencrypted tokens by provider the resource server parameter.


> Access Manager encrypts the token by using a random symmetric key, then
> the encrypted token is signed by using an Access Manager public key.
> When resource server consumes the access token, it requests Identity
> Server to validate the token.
>
> Encrypting the Token with Resource server Key#
> If you want the resource server to decrypt and validate the OAuth token,
> you can encrypt the token by using resource server key.
>
> I don't know why MF use the access_token as the id_token. If the user
> claims/scopes are attached to the access_token and it can be also signed
> and encrypted, why should I need an ID_TOKEN or OIDC ?


I've seen other providers do the same to be honest but how and why, as per my previous answer, i can't really answer it.


--
Cheers,
Edward
0 Likes
cnrossi Absent Member.
Absent Member.

Re: How to get user info from OpenId Id token?

Thank you Edward. I already tried to read the access token with the resource server parameter and it works fine. But most of the frameworks works with the ID_TOKEN.


edmaa;2484874 wrote:
On 28-07-2018 6:54 AM, cnrossi wrote:
>
> Sorry, it is documented here:
> https://www.netiq.com/documentation/access-manager-44-appliance/admin/data/b1dj6b2f.html#encrypting-access-token
>
> Encrypting the Token with Access Manager Key#
> If you want the resource server to contact the authorization server for
> validating an OAuth token, you can encrypt the token by using Access
> Manager keys. This is the default encryption method.


You can get unencrypted tokens by provider the resource server parameter.


> Access Manager encrypts the token by using a random symmetric key, then
> the encrypted token is signed by using an Access Manager public key.
> When resource server consumes the access token, it requests Identity
> Server to validate the token.
>
> Encrypting the Token with Resource server Key#
> If you want the resource server to decrypt and validate the OAuth token,
> you can encrypt the token by using resource server key.
>
> I don't know why MF use the access_token as the id_token. If the user
> claims/scopes are attached to the access_token and it can be also signed
> and encrypted, why should I need an ID_TOKEN or OIDC ?


I've seen other providers do the same to be honest but how and why, as per my previous answer, i can't really answer it.


--
Cheers,
Edward
0 Likes
fsakiyama Absent Member.
Absent Member.

Re: How to get user info from OpenId Id token?

kevinmsrs;2476593 wrote:
I also thought that the id_token returns user information. Here is the exmaple from the OpenID spec documentation (https://openid.net/specs/openid-connect-core-1_0.html#id_token-tokenExample).

 {
"iss": "http://server.example.com",
"sub": "248289761001",
"aud": "s6BhdRkqt3",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
"iat": 1311280970,
"name": "Jane Doe",
"given_name": "Jane",
"family_name": "Doe",
"gender": "female",
"birthdate": "0000-10-31",
"email": "janedoe@example.com",
"picture": "http://example.com/janedoe/me.jpg"
}


I am running into issues as the application I'm trying to provision is trying to pull the "email" claim from the id_token but fails.


Hello Kevin,

Did you manage to make it work?

Thanks in advance.
0 Likes
Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: How to get user info from OpenId Id token?

Hi,

NAM 4.5 supports this feature of adding user attributes to Access Token as well as ID Token. Please check the following link:

Support for Adding User Attributes to an ID Token and Adding Claims to both Access and ID Tokens

 

 

 

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.