Hello,

I have enabled OIDC protection using ISAM for one application .

For this I have created a junction in RP using 'AAC and Federation Configuration' --> 'Oauth and OpenID Connect Provider Configuration'. I have then configured the 'OpenID Connect and API protection' on policy server. Application is able to connect and is receiving the {"sub":"username"}
But Application here wants more attributes on /userInfo to do authentication. 

For this In Reverse Proxy Configuration, I have added below

[TAM_CRED_ATTRS_SVC]

organizationalPerson = azn_cred_registry_id

[TAM_CRED_ATTRS_SVC:organizationalPerson]

location = l

email = mail

And in post token mapping rules, I have added 
if(request_type == "authorization")
{  var to_save = stsuu.getAttributeContainer().getAttributeValueByName("location"); OAuthMappingExtUtils.associate(state_id, "location", to_save);
}
else if(request_type == "access_token")
{  var loc = OAuthMappingExtUtils.getAssociation(state_id, "location");
stsuu.addContextAttribute(new com.tivoli.am.fim.trustserver.sts.uuser.Attribute("LOCATION" ,"urn:ibm:names:ITFIM:oauth:response:attribute",loc));
}

But I am not getting the location attribute in access_token response. I also think that flow is not going into "authorization" condition. It goes in access_token flow and I could see some hardcoded values if I add them into context attribute.

Can someone help?

------------------------------
Kedar Kulkarni
------------------------------

Hi Guys,

I got through by just setting scope in request to "openid location". /UserInfo is sending { "sub":"username", "location":"locvalue"} to client.

But the only thing I noticed is if I do any customization in POST token mapping rule like setting the scope attribute to "openid location" then it again stops working and sends just the "sub" in response.

------------------------------
Kedar Kulkarni
------------------------------

Original Message:
Sent: Mon April 27, 2020 09:59 AM
From: Kedar Kulkarni
Subject: OIDC Getting User Attributes in UserInfo

Hello,

I have enabled OIDC protection using ISAM for one application .

For this I have created a junction in RP using 'AAC and Federation Configuration' --> 'Oauth and OpenID Connect Provider Configuration'. I have then configured the 'OpenID Connect and API protection' on policy server. Application is able to connect and is receiving the {"sub":"username"}
But Application here wants more attributes on /userInfo to do authentication. 

For this In Reverse Proxy Configuration, I have added below

[TAM_CRED_ATTRS_SVC]

organizationalPerson = azn_cred_registry_id

[TAM_CRED_ATTRS_SVC:organizationalPerson]

location = l

email = mail

And in post token mapping rules, I have added 
if(request_type == "authorization")
{  var to_save = stsuu.getAttributeContainer().getAttributeValueByName("location"); OAuthMappingExtUtils.associate(state_id, "location", to_save);
}
else if(request_type == "access_token")
{  var loc = OAuthMappingExtUtils.getAssociation(state_id, "location");
stsuu.addContextAttribute(new com.tivoli.am.fim.trustserver.sts.uuser.Attribute("LOCATION" ,"urn:ibm:names:ITFIM:oauth:response:attribute",loc));
}

But I am not getting the location attribute in access_token response. I also think that flow is not going into "authorization" condition. It goes in access_token flow and I could see some hardcoded values if I add them into context attribute.

Can someone help?

------------------------------
Kedar Kulkarni
------------------------------