bshaffer
OpenID Connect authorization code flow: id_token in TokenController
In my application, I'm using this configuration:
$config = [
'use_openid_connect' => true,
'issuer' => 'mydomain.com',
'require_exact_redirect_uri' => false,
'enforce_state' => false,
'allow_implicit' => true,
'always_issue_new_refresh_token' => true
];
As a first step, I request and receive an authorization_code at the authentication endpoint with response_type=code, scope=openid email address.
Then, I call the token endpoint using the authentication_code retrieved from the authentication endpoint. As required by the documentation at https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse the id_token is included in the response, however the user claims are missing. Debugging learns the getUserClaims() method in my custom storage class is never called, neither by the authentication endpoint (id_token in my database also has no user claims), nor by the token endpoint.
Does anybody have a clue, why the user claims are missing? Or can anybody clarify if the user claims should be put into the storage by the authentication endpoint, or should be added afterwards in the token endpoint?
Seems to be the same issue as over here: https://github.com/bshaffer/oauth2-server-php/issues/812
A quick fix is to replace
// Generate an id token if needed.
if ($this->needsIdToken($this->getScope()) && $this->getResponseType() == self::RESPONSE_TYPE_AUTHORIZATION_CODE) {
$params['id_token'] = $this->responseTypes['id_token']->createIdToken($this->getClientId(), $user_id, $this->nonce);
}
with
// Generate an id token if needed.
if ($this->needsIdToken($this->getScope()) && $this->getResponseType() == self::RESPONSE_TYPE_AUTHORIZATION_CODE) {
$userClaims = $this->clientStorage->getUserClaims($user_id, $params['scope']);
$params['id_token'] = $this->responseTypes['id_token']->createIdToken($this->getClientId(), $user_id, $this->nonce);
}
