1. connect2id Avatar connect2id
  2. OAuth
  3. OAuth 2.0 SDK with OpenID Connect extensions
  4. Issues

OIDCProviderMetadata.parse drops claims known by its superclass

Issue #339 invalid
Henri Mikkonen created an issue

OIDCProviderMetadata.parse(final String s) seems to drop the claims that are known by its superclass (AuthorizationServerMetadata). See the code example below:

        final String data = "{\n" + 
                " \"issuer\": \"http://idp.example.org\",\n" + 
                " \"authorization_endpoint\": \"https://op.example.org/authorize\",\n" +  
                " \"jwks_uri\": \"https://op.example.org/keyset.jwk\",\n" + 
                " \"response_types_supported\": [ \"id_token\" ],\n" + 
                " \"subject_types_supported\": [ \"public\", \"pairwise\"\n ],\n" + 
                " \"request_parameter_supported\": false,\n" + 
                " \"request_uri_parameter_supported\": false,\n" + 
                " \"require_request_uri_registration\": false\n }";

        OIDCProviderMetadata metadata = OIDCProviderMetadata.parse(data);
        System.out.println(metadata.toJSONObject().toJSONString());

STDOUT:

{
    "authorization_endpoint": "https:\/\/op.example.org\/authorize",
    "issuer": "http:\/\/idp.example.org",
    "jwks_uri": "https:\/\/op.example.org\/keyset.jwk",
    "response_types_supported": ["id_token"],
    "subject_types_supported": ["public", "pairwise"],
    "request_uri_parameter_supported": false
}

The output lacks the following two claims:

  • require_request_uri_registration
  • request_parameter_supported

Both of those claims are included in the Set<String> p of AuthorizationServerMetadata.

I’m using oauth2-oidc-sdk-8.33.jar now. Previously I was using 7.1.1 in the same way, and back then I got those claims that are now missing.

Comments (2)

  1. Yavor Vasilev

    Hello,

    At some point in the past the code was updated to not output metadata params from various OIDC and OAuth extensions which have a default value of false. So that the metadata JSON object doesn't get cluttered with metadata from disabled and unsupported extensions.

    The mentioned params have such defaults to false.

    request_parameter_supported OPTIONAL. Boolean value specifying whether the OP supports use of the request parameter, with true indicating support. If omitted, the default value is false.

    request_uri_parameter_supported OPTIONAL. Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating support. If omitted, the default value is true.

    require_request_uri_registration OPTIONAL. Boolean value specifying whether the OP requires any request_uri values used to be pre-registered using the request_uris registration parameter. Pre-registration is REQUIRED when the value is true. If omitted, the default value is false.

  3. Log in to comment
Assignee
Type
bug
Priority
major
Status
invalid
Milestone
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!