UserInfo Endpoint Always Returns Federated IdP Subject Claim Ignoring Alternate Subject Identifier in Implicit Grant

[isuruhettiarachchi]

Description

When a federated OIDC IdP is configured and an alternate subject identifier (User ID Claim URI) is set to a different claim, it is possible to receive an alternative user claim value as the sub claim in the ID token. If the implicit grant is used and the token is then used with the userinfo endpoint, the subject will revert to the original subject value returned by the federated IdP.

This behavior does not occur with the authorization code grant.

Steps to Reproduce

1. Configure a federated OIDC IdP.

Federated IDP will send something like below in id token

{
  "sub": "acb13b4e-cd63-4348-a95a-19ead6c832d9",
  "iss": "https://localhost:9444/oauth2/token",
  "preferred_username": "johndoe",
  "email": "[email protected]"
}

2. Define a custom claim dialect (make sure to add the necessary configs in deployment.toml file to enable custom claim mapping).

preferred_username : http://wso2.org/claims/username

3. Select a different claim for user id claim URI.

User ID Claim URI: preferred_username

4. Create an OIDC service provider.
5. Select the Subject Claim URI that was mapped in the step 3 (http://wso2.org/claims/username)
6. Get an access token and id token with implicit grant.

• sub claim of the id token will be johndoe

8. Invoke the userinfo endpoint the access token

• sub value of the userinfo response will be acb13b4e-cd63-4348-a95a-19ead6c832d9

9. sub value must be consistent in id token and userinfo response

Version

IS 5.11.0

Environment Details (with versions)

No response