Hi all,
I configured an OpenId connect provider with access code flow to receive an Access token, Refresh Token and ID token.
we realized that, adding the claims in the mapping rules as following all the documentations, we have a strange behavior:
after receive the first AT,RF,IT if the user ask for the page:
https://webseal/mga/sps/mga/user/mgmt/html/device/grant_attributes.html?
the user can change the content of the claim:
It's possible to change the value choosing "update".If the user do a request to receive a new Refresh Token, ID Token , Access Token, using the previous Refresh token, the new ID Token has the claims populated with the value modified manually.
I saw that the default behavior is that the attributes are all writable, but can we do something to change this behavior? At the moment we decide to add an ACL to disable tha access to the page, but we thing that it's a really security problem, someone had the same problem?
thank you
Ivana
------------------------------
Ivana Campolongo
------------------------------