WSO2 id_token with missing claims

2
votes

In my requirement, I need to get the "auth_time" and "acr" openid claim. On my id token only can get these claims: amr, iss, exp, iat, nonce, c_hash, aud and at_hash

How can add these claims in token response? I use openid-client node js library adding in scope="openid"

2
wso2wso2is

2 Answers

1
votes

According to the OpenID Connect spec, auth_time and acr are optional claims. So by default WSO2 Identity server does not send these claims in id_token.

1. auth_time:

According to the spec,

auth_time: Time when the End-User authentication occurred. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. When a max_age request is made or when auth_time is requested as an Essential Claim, then this Claim is REQUIRED; otherwise, its inclusion is OPTIONAL.

Identity server adheres to the spec and you have options to get auth_time as a claim in the id_token.

Option1:

To get auth_time, you can send a request with max_time as a parameter during the authorization flow. A sample request is given below

https://localhost:9443/oauth2/authorize?response_type=code&scope=openid&max_age=12345&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fplayground2%2Foauth2client&client_id=KmerETRbZx2ErGhCqRfv4xhxeSAa

Option2:

Else, you can request, auth_time as a essential claim in the request. you have to pass claims as a request parameter and send the auth_time as an essential claims.

{"id_token":{"auth_time":{"essential":true}}}

You have to do url encode and pass this as a value to the claims request parameter to the authorize endpoint. A sample request is given below.

https://localhost:9443/oauth2/authorize?response_type=code&scope=openid&&claims=%7B%22id_token%22%3A%7B%22auth_time%22%3A%7B%22essential%22%3Atrue%7&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fplayground2%2Foauth2client&client_id=KmerETRbZx2ErGhCqRfv4xhxeSAa

2. acr:

acr: OPTIONAL. Authentication Context Class Reference.

To get acr value in the id_token, first you need to pass acr_values as a request parameter with the all the acr values.

You can easily use ACR and AMR with WSO2 Identity Server by using adaptive authentication scripts. Through this the identity provider can enforce additional assurance in the user authentication flow. You can select the acr from the authentication scripts. Then Identity server will send the selected acr in the id_token response. You can follow this document to work with ACR in identity server and how to configure to get acr value in the id_token.

0
votes

You may wanted to add those claims as Requested Claims in the Service provider.

https://docs.wso2.com/display/IS580/Configuring+Claims+for+a+Service+Provider