Layer7 API Management

  • 1.  userinfo doesnot return the scope in Response

    Posted Oct 12, 2017 01:35 PM

    Hi,

     

    For one our web Clients that use OTK, after the user authentication the call to  User Info api  is not returning the scope values which is causing the application to fail. The app team is looking for the scope information that was defined in the client registration. 

     

     

    Thank u 



  • 2.  Re: userinfo doesnot return the scope in Response
    Best Answer

    Posted Oct 13, 2017 08:16 PM

    Hi!

     

    I am assuming you meant: /userinfo is not returning claims associated with SCOPE values. You probably did not expect OTK to return the SCOPE values themselves such as 'openid' or 'email' or 'profile'.

     

    /userinfo will only return claims if:

    • the access_token was granted for at least 'SCOPE=openid'

     

    Please make sure to register your client in OAuth Manager and include 'SCOPE=openid email profile'. Use the authorization_code or implicit flow (response_type=authorization_code or response_type=token id_token).

    When receiving the token response verify that your requested SCOPE is included.

     

    On a side note:

    OTK by default will return example values such as "Darth Vader". To retrieve real values OTK needs to be updated at 'OTK User Attribute Look Up Extension'.

     

    I hope this helps!



  • 3.  Re: userinfo doesnot return the scope in Response

    Posted Oct 15, 2017 01:49 PM

    Hi Sascha, 

     

    Thank you for all the details, and thanks you brought up the  LookUp Extension topic in. 

     

    1. Yes the Client is registered with scope = openid  thru  Oauth/Manager.

        I verified that the scope value reflected in the oauth_token table of OTK DB. 

        Client Using the Spring Security Module & configuration what a regular Oauth follows.

        In the logs the Client sees there is a  response from UserInfo, but when trying to invoke getScope  it returns null.              From OTK DB also i see that the response_type=authorization_code.

       

    2. We did extend the OTK User Attribute Lookup Extension to include the attributes from Identity Provider. But happen to see that MAS.MasUsePlugin donot reflect the data from Identity Provider, and all the time its the  static profie " Darth Vader ".