hydra
hydra copied to clipboard
ory
Do not return `email` in `id_token` but instead in `userinfo` for specific response types
Describe the bug
The OIDC Conformity suite says:
Unexpectedly found email in id_token. The conformance suite did not request the 'email' claim is returned in the id_token and hence did not expect the server to include it; as per the spec link for this response_type scope=email is a short hand for 'please give me access to the user's email address in the userinfo response'. Technically returning unrequested claims does not violate the specifications but it could be a bug in the server and may result in user data being exposed in unintended ways if the relying party did not expect the email to be in the id_token, and then uses the id_token to provide proof of the authentication event to other parties.
Reproducing the bug
URL
http://hydra:4444/oauth2/auth?client_id=08a64aa8-85ac-45bd-b827-f9d6a9e7f8f0&redirect_uri=http://httpd:8443/test/a/hydra/callback&scope=openid%20email&state=Tg1H9cJyGa&nonce=4JiU5ylax3&response_type=code
ID Token
{
"at_hash": "h2jpY2N0DtmNcIJ2V1Jp4Q",
"sub": "[email protected]",
"email_verified": true,
"rat": 1604478992,
"iss": "http://hydra:4444/",
"nonce": "4JiU5ylax3",
"sid": "d95dff88-e665-45f1-8bbc-335dede98a79",
"aud": "08a64aa8-85ac-45bd-b827-f9d6a9e7f8f0",
"auth_time": 1604478992,
"exp": 1604482594,
"iat": 1604478994,
"email": "[email protected]",
"jti": "2c70df5c-26c9-49ff-80ab-54ec3941d8c8"
}
Expected behavior
ORY Hydra should follow the recommendation here.
