https://www.ory.sh/ logo
Join Slack
Powered by
Here I go again :slightly_smiling_face: We’re requ...
# ory-network
g
Here I go again 🙂 We’re requesting an ID token (and also /userinfo) with scopes 
openid, profile, email
and our identity schema (and data) contains a 
name
field. However, neither token nor userinfo contain the name field. Reading the documentation it sounds like this could be intended behavior by Ory, but there is no description on how to change it. Can you help?
Reading e.g. https://auth0.com/docs/get-started/apis/scopes/openid-connect-scopes#standard-claims, the 
profile
scope should result in 
name
(and other) fields being added to the userinfo response / ID token, but it seems not to be the case with Ory.
The way I understand the documentation is that you can add additional fields like 
foo
to be included by adding the to the consent acceptance post. But I would still expect that we don’t have to do the effort of implementing the for the OIDC standard of 
profile
. Or am I misunderstanding something here?
We just found out that the response of 
.well-known/openid-configuration
shows:
Copy code
"scopes_supported": [
        "offline_access",
        "offline",
        "openid"
    ],
So there’s no 
profile
scope in there. Could this be related? Now trying to figure out how to get it in there…
So I have been reading quite a bit of source code to understand how Hydra decides which fields to include into the 
/userinfo
response. From what I understand from 
getOidcUserInfo
in 
oauth2/handler.go:546
I can not see where the fields are added that should be within the response (
oidcUserInfo
struct, containing fields like 
name
as described in https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims). Is this a bug or is my Golang’ish too bad and I just can’t find it? @high-optician-2097 Your name is all over the commit log in this area, you probably know best.
Funny enough, the only string occurrences of e.g. 
Name
, 
GivenName
, 
FamilyName
, etc. are within the auto-generated client, I can’t seem to find them on the server side.
f
I believe it includes the values you set for 
id_token
when you accept the consent flow: https://www.ory.sh/docs/hydra/concepts/consent#accepting-the-consent-flow See also https://ory-community.slack.com/archives/C02MR4DEEGH/p1677093332549029
g
@flat-flower-81031 Even tried that with no success. I might have done something wrong though.
Also, FWICT no tests seem to cover checking if requesting 
profile
scope will lead to either the ID token containing the scopes claims, nor the userinfo response retrieved with the access token. All in all, to me this looks like Hydra is misbehaving wrt. https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
f
I think the tricky part is there is no way to map what “profile” means in your identity schema.
g
Hmm. I believe I understand what you mean. It could probably be done by convention (
name
in Identity Schema corresponds to 
name
claim in 
profile
scope) or by configuration (at the identity schema field). Is Hydra generic flexibility here in conflict with the OIDC standard?
For anyone reading here: @steep-lamp-91158 was of great help earlier. He basically confirmed our observations. We now know that (for now) the only way to implement what we want, is to implement it ourselves in the consent flow. In the long run, this should be easier / less effort, so there’s now a feature request ticket to continue the discussion: https://github.com/ory/network/issues/261
h
👍
Open in Slack
PreviousNext
Powered by