openid-connect-generic icon indicating copy to clipboard operation
openid-connect-generic copied to clipboard

Published 20 hours ago verified publisher icon oidc-wp

Get mail from access_token

Open cedrox opened this issue 6 years ago • 4 comments

Hello, All information used to create user are provided by $user_claim $_email = $this->get_email_from_claim( $user_claim, true ); For security reason, my idp don't have email into claims. Question : Do you think it is possible/valid to get some information from access token if this is not provided by claims ? I think mainly about email.

Like if email is not in claims, get it from access token...

private function get_email_from_claim( $user_claim, $error_on_missing_key = false ) { if ( ! empty( $this->settings->email_format ) ) { return $this->format_string_with_claim( $this->settings->email_format, $user_claim, $error_on_missing_key ); } if ( ! empty( $this->settings->email_format ) ) { return $this->format_string_with_access_token( $this->settings->email_format, $user_claim, $error_on_missing_key ); } return null; }

private function get_email_from_access_token( $user_claim, $error_on_missing_key = false ) { }

cedrox avatar Jun 07 '18 12:06 cedrox

Hello, Sorry, there is already a mechanism in the code : Line 667 of \openid-connect-generic-dev\includes\openid-connect-generic-client-wrapper.php // attempt another request for userinfo if some values are missing if ( $values_missing && isset( $token_response['access_token'] ) ) { $user_claim_result = $this->client->request_userinfo( $token_response['access_token'] );

		// make sure we didn't get an error
		if ( is_wp_error( $user_claim_result ) ) {
			return new WP_Error( 'bad-user-claim-result', __( 'Bad user claim result' ), $user_claim_result );
		}

		$user_claim = json_decode( $user_claim_result['body'], TRUE );
	}

Unfortunately, it cannot work as $token_response is always null in this sequence. I think we are facing an issue.

Thanks

cedrox avatar Jun 08 '18 13:06 cedrox

Hello, Pointed function is actually something build to re request UserInfo endpoint. It would be helpful to get piece of code to get basic information provided in access_token (email...) Thanks

cedrox avatar Jun 11 '18 08:06 cedrox

Hello, here's my changes to get datas from id_token. Please let me know if it can be added to master. Thanks openid-connect-generic-client-wrapper.zip

cedrox avatar Jun 11 '18 16:06 cedrox

This is biting me as well. For one instance, I'm getting email address in the token response, but not in the userinfo request. This line https://github.com/oidc-wp/openid-connect-generic/blob/dev/includes/openid-connect-generic-client-wrapper.php#L489 means that useful variables in the token response are wiped out if the userinfo endpoint exists. I would love if either:

  1. The token response variables are merged with userinfo variables.
  2. The hook to alter the user claim also included the token response variables, so this could be done manually.

For now the simplest solution I'm left with is to blank out userinfo endpoint, which is not ideal.

tommcc avatar Sep 02 '21 15:09 tommcc