Skip to content

Setting temporary claims for federated users requires remote claim URIs #13728

New issue
New issue
Closed
wso2/carbon-identity-framework
#4040
Closed
Setting temporary claims for federated users requires remote claim URIs#13728
wso2/carbon-identity-framework
#4040
Assignees
ThaminduDilshan
Labels
Type/BugWUM
Milestone
6.0.0-m5
@rksk

Description

@rksk
rksk
opened on May 23, 2022

Describe the issue:
With the feature introduced with #9293, it is allowed to set temporary claims for authentication flows from the adaptive authentication flows. As per the implementation, this is supposed to work with both federated and local users.

For the local users, the temporary claims are put into all local claims map [1] overriding the userstore claims and then SP claim mapping is done. But for the federated users, the temporary claims are put into the federated claims map [2] , and IDP and SP claim mapping is done. Therefore, if you have different claim mappings for different IDPs used in a single service provider, it is not possible to set temporary claims to comply with all of them since temporary claims need to be set with federated claim URIs.

How to reproduce:

  • Configure a service provider with the following adaptive script and add the nickname as a requested claim
var onLoginRequest = function(context) {
    executeStep(1, {
        onSuccess: function(context) {
            user = context.steps[1].subject;
            if (context.steps[1].idp === 'LOCAL') {
                Log.info('local login flow');
                user.claims['http://wso2.org/claims/nickname'] = 'local login flow';
            } else {
                Log.info('federated login flow');
                user.claims['http://wso2.org/claims/nickname'] = 'federated login flow';
            }
        }
    });
};
  • Add basic and a federated authentication with OIDC for the first step
  • Now the SP will receive the nickname in the local authentication flow, but not in the federated flow

Expected behavior:
It should allow setting temporary claims in the same way (using local claim URIs) despite the authenticator used

Environment information

  • Product Version: IS 5.11.0

[1] https://github.com/wso2/carbon-identity-framework/blob/be8975b91fe2b12f938512753f11da17cb71b54b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/claims/impl/DefaultClaimHandler.java#L482
[2] https://github.com/wso2/carbon-identity-framework/blob/be8975b91fe2b12f938512753f11da17cb71b54b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/claims/impl/DefaultClaimHandler.java#L169

Metadata

Metadata

Assignees

Labels

Type/BugWUM

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions