Using arbitrary OIDC requested claims values in id_token and user_info is allowed

Author: maximthomas

openam-oauth2/src/test/java/org/forgerock/openam/openidconnect/OidcClaimsExtensionTest.java

@@ -12,6 +12,7 @@
  * information: "Portions copyright [year] [name of copyright owner]".
  *
  * Copyright 2015-2016 ForgeRock AS.
+ * Portions copyright 2025 3A Systems LLC.
  */
 
 package org.forgerock.openam.openidconnect;
@@ -71,6 +72,10 @@ public void setupScript() throws Exception {
     @BeforeMethod
     public void setup() throws Exception {
         this.logger = mock(Debug.class);
+        doAnswer(invocationOnMock -> {
+          System.out.println(invocationOnMock.getArguments()[0]);
+          return null;
+        }).when(logger).warning(anyString());
         this.ssoToken = mock(SSOToken.class);
         this.identity = mock(AMIdentity.class);
         this.accessToken = new StatefulAccessToken(json(object()), OAuth2Constants.Token.OAUTH_ACCESS_TOKEN, "id");
@@ -106,18 +111,20 @@ public void testProfileScope() throws Exception {
     public void testRequestedClaims() throws Exception {
         // Given
         Map<String, Set<String>> requestedClaims = new HashMap<String, Set<String>>();
-        requestedClaims.put("given_name", asSet("fred"));
+        requestedClaims.put("given_name", asSet("joe", "fred"));
         requestedClaims.put("family_name", asSet("flintstone"));
+
         Bindings variables = testBindings(asSet("profile"), requestedClaims);
         when(identity.getAttribute("cn")).thenReturn(asSet("Joe Bloggs"));
+        when(identity.getAttribute("sn")).thenReturn(asSet("bloggs"));
+        when(identity.getAttribute("givenname")).thenReturn(asSet("joe"));
 
         // When
         UserInfoClaims result = scriptEvaluator.evaluateScript(script, variables);
 
         // Then
         assertThat(result.getValues()).containsOnly(
-                entry("given_name", "fred"),
-                entry("family_name", "flintstone"),
+                entry("given_name", "joe"),
                 entry("name", "Joe Bloggs"));
 
         assertThat(result.getCompositeScopes()).containsOnlyKeys("profile");
@@ -128,7 +135,7 @@ public void testRequestedClaims() throws Exception {
         verify(identity).getAttribute("cn");
         verify(identity).getAttribute("preferredlocale");
         verify(identity).getAttribute("preferredtimezone");
-        verifyNoMoreInteractions(identity);
+        verify(identity).getAttribute("sn");
     }
 
     @Test
@@ -139,6 +146,9 @@ public void testRequestedClaimsNoScope() throws Exception {
         requestedClaims.put("family_name", asSet("flintstone"));
         Bindings variables = testBindings(asSet("openid"), requestedClaims);
 
+        when(identity.getAttribute("sn")).thenReturn(asSet("flintstone"));
+        when(identity.getAttribute("givenname")).thenReturn(asSet("fred"));
+
         // When
         UserInfoClaims result = scriptEvaluator.evaluateScript(script, variables);
 

openam-oauth2/src/test/resources/oidc-claims-extension.groovy

@@ -12,6 +12,7 @@
 * information: "Portions copyright [year] [name of copyright owner]".
 *
 * Copyright 2014-2016 ForgeRock AS.
+* Portions copyright 2025 3A Systems LLC.
 */
 import com.iplanet.sso.SSOException
 import com.sun.identity.idm.IdRepoException
@@ -52,12 +53,16 @@ def fromSet = { claim, attr ->
 }
 
 attributeRetriever = { attribute, claim, identity, requested ->
+    def attr = fromSet(claim, identity.getAttribute(attribute))
     if (requested == null || requested.isEmpty()) {
-        fromSet(claim, identity.getAttribute(attribute))
-    } else if (requested.size() == 1) {
-        requested.iterator().next()
+        attr
     } else {
-        throw new RuntimeException("No selection logic for $claim defined. Values: $requested")
+        if (requested.contains(attr)) {
+            attr
+        } else {
+            logger.warning("OpenAMScopeValidator.getUserInfo(): $claim attribute=$attr does not match the requested value=$requested");
+            null
+        }
     }
 }
 
@@ -106,7 +111,7 @@ def computedClaims = scopes.findAll { s -> !"openid".equals(s) && scopeClaimsMap
     map << scopeClaims.findAll { c -> !requestedClaims.containsKey(c) }.collectEntries([:]) { claim -> computeClaim(claim, null) }
 }.findAll { map -> map.value != null } << requestedClaims.collectEntries([:]) { claim, requestedValue ->
     computeClaim(claim, requestedValue)
-}
+}.findAll { map -> map.value != null }
 
 def compositeScopes = scopeClaimsMap.findAll { scope ->
     scopes.contains(scope.key)

openam-scripting/src/main/groovy/oidc-claims-extension.groovy

@@ -12,6 +12,7 @@
 * information: "Portions copyright [year] [name of copyright owner]".
 *
 * Copyright 2014-2016 ForgeRock AS.
+* Portions copyright 2025 3A Systems LLC.
 */
 import com.iplanet.sso.SSOException
 import com.sun.identity.idm.IdRepoException
@@ -52,12 +53,16 @@ def fromSet = { claim, attr ->
 }
 
 attributeRetriever = { attribute, claim, identity, requested ->
+    def attr = fromSet(claim, identity.getAttribute(attribute))
     if (requested == null || requested.isEmpty()) {
-        fromSet(claim, identity.getAttribute(attribute))
-    } else if (requested.size() == 1) {
-        requested.iterator().next()
+        attr
     } else {
-        throw new RuntimeException("No selection logic for $claim defined. Values: $requested")
+        if (requested.contains(attr)) {
+            attr
+        } else {
+            logger.warning("OpenAMScopeValidator.getUserInfo(): $claim attribute=$attr does not match the requested value=$requested");
+            null
+        }
     }
 }
 
@@ -106,7 +111,7 @@ def computedClaims = scopes.findAll { s -> !"openid".equals(s) && scopeClaimsMap
     map << scopeClaims.findAll { c -> !requestedClaims.containsKey(c) }.collectEntries([:]) { claim -> computeClaim(claim, null) }
 }.findAll { map -> map.value != null } << requestedClaims.collectEntries([:]) { claim, requestedValue ->
     computeClaim(claim, requestedValue)
-}
+}.findAll { map -> map.value != null }
 
 def compositeScopes = scopeClaimsMap.findAll { scope ->
     scopes.contains(scope.key)