ADFS 4.0 userInfo endpoint returns only sub claim

2
votes

Since ADFS 4.0 implicit flow doesn't return custom claims in id_token I tried getting those from userInfo endpoint. To get access token for userinfo endpoint one must use resource urn:microsoft:userinfo. So to get access token for resources and id token for client one must send two queries.

After that the userinfo endpoint responds with just

{
    "sub": "fRwBBEb3bOu6Pt/xHsS0/Z5TKn24llZ3FGFMT+LP9QA="
}

Custom claims are always available in access_token and if i use response_mode=form_post when querying token endpoint then they are also in id_token. Form post is not suitable for SPA. Is userinfo supposed to return anything useful at all?

3
adfs

3 Answers

1
votes

It could e.g. the Azure AD endpoint returns a lot more but that's the way the ADFS team have implemented this.

You could ask for more claims to be returned via uservoice.

0
votes

Apparently the ADFS 2016 user info endpoint does not return more than the subject claim, according to the ADFS FAQ:

The ADFS userinfo endpoint always returns the subject claim as specified in the OpenID standards. AD FS does not provide additional claims requested via the UserInfo endpoint. If you need additional claims in ID token, refer to Custom ID Tokens in AD FS.

0
votes

I have solved my problem with it https://www.michaelboeynaems.com/keycloak-ADFS-OIDC.html

The solution consists in return the claims that you want in the token, instead of try to get that information by userInfo, because, like Tosh said, return only subject claim.

Microsoft official documentation, shows how to put the claims in your token, but a few tricks I've found only in the blog that I mention above (even though after full understand, I saw everything in Microsoft documentation).