- changed status to invalid
OIDCProviderMetadata.parse drops claims known by its superclass
Issue #339
invalid
OIDCProviderMetadata.parse(final String s) seems to drop the claims that are known by its superclass (AuthorizationServerMetadata). See the code example below:
final String data = "{\n" +
" \"issuer\": \"http://idp.example.org\",\n" +
" \"authorization_endpoint\": \"https://op.example.org/authorize\",\n" +
" \"jwks_uri\": \"https://op.example.org/keyset.jwk\",\n" +
" \"response_types_supported\": [ \"id_token\" ],\n" +
" \"subject_types_supported\": [ \"public\", \"pairwise\"\n ],\n" +
" \"request_parameter_supported\": false,\n" +
" \"request_uri_parameter_supported\": false,\n" +
" \"require_request_uri_registration\": false\n }";
OIDCProviderMetadata metadata = OIDCProviderMetadata.parse(data);
System.out.println(metadata.toJSONObject().toJSONString());
STDOUT:
{
"authorization_endpoint": "https:\/\/op.example.org\/authorize",
"issuer": "http:\/\/idp.example.org",
"jwks_uri": "https:\/\/op.example.org\/keyset.jwk",
"response_types_supported": ["id_token"],
"subject_types_supported": ["public", "pairwise"],
"request_uri_parameter_supported": false
}
The output lacks the following two claims:
require_request_uri_registration
request_parameter_supported
Both of those claims are included in the Set<String> p of AuthorizationServerMetadata.
I’m using oauth2-oidc-sdk-8.33.jar now. Previously I was using 7.1.1 in the same way, and back then I got those claims that are now missing.
Comments (2)
-
-
Having said that, pushed a mini update as v8.34 to always output
request_uri_parameter_supported
because for OP metadata the default iftrue
and for AS metadatafalse
.This can create confusions, so better be explicit :)
- Log in to comment
Hello,
At some point in the past the code was updated to not output metadata params from various OIDC and OAuth extensions which have a default value of
false
. So that the metadata JSON object doesn't get cluttered with metadata from disabled and unsupported extensions.The mentioned params have such defaults to
false
.