Is there a way to remove the subname claim from the id token

We are in 7.1 and currently the Id token does spit out the subname claim as well. I tried overriding the value using https://backstage.forgerock.com/knowledge/kb/article/a99038127 ,did not work -seems it’s applicable only for core OIDC claims.
Is there an elegant way to achieve this?

Out of curiosity - why do you want to do that?

Now, sub is an important and REQUIRED claim in the OIDC Token. Its role is to uniquely identity the end-user at the issuer side. Removing it will certainly make your token non-OIDC compliant. Second, if we were to remove the sub claim, it can have other side effects. For example and as mentioned in the core OIDC spec, it can be used to validate against token substition attacks when using the UserInfo endpoint, and matching the sub value of the UserInfo with the sub value of the OIDC Token.

1 Like

Its subname not the sub
This is what we have in the ID token claim

{
  "sub": "hdGIUClsFruOIZdcv1xWByYjbNSuvKMDfKQKCJQAjIw=",
  "subname": "44874388-d330-4e7f-97be-904dd133f18e",
   ......
}

We would like to remove the subname claim as it exposes the user identity

Ah, I misunderstood the claim name. The subname claim is not included in the OIDC Claims Script by default. In order to remove this attribute, you can attempt the following:

  • In your OAuth2 Service Provider > OpenID Connect > Overrideable Id_Token Claims> Set subname. This basically states that you want to override the value of subname claim via OIDC Claims Script.
  • Then, in your OIDC Claims Script set the value of subname claim to empty;
  • If the value is empty, the subname will not be present in your ID Token.

Hope this helps!

Also, I forgot to mention. The value of subname is partial of the sub claim value. So, a client application can always infer the value of subname via sub claim attribute. Read the below docs for more info:

https://backstage.forgerock.com/docs/am/7.2/oidc1-guide/rest-api-oidc-idtoken-validation.html

Thanks for the response. Yes, I did try these steps but didn’t work. We are able to override some other claims (eg acr) , just that the subname claim override is not working.

Also, one interesting thing we observed is : if we override sub with some random value (say abcd), then subname is gone in the id token (this could be since its derived from sub)

Could you point to any source code where this overriding is actually implemented. I just searched for getOverrideableOIDCClaims() in the public repo and could not find any references.

2 Likes

What version of the Access Manager are you running?

And I tried this in my lab and it works as suggested.

Its 7.1.2
Is this lab something we can try it out as well or private to Forge Rock ?
Apologies for sounding naive, but I have just started exploring Forge Rock and learning on the fly

The lab is basically my local environment for testing. I am also running v7.1.2 and below is a sample of my ID Token:

{
  "at_hash": "AmA84BITDP1ZJM7pRI3NlQ",
  "sub": "(usr!demo)",
  "auditTrackingId": "81c2b800-c5a6-4fea-899e-27a631bfa118-2727",
  "iss": "https://identity.sqoopdata.local:17143/am/oauth2/realms/root/realms/ciam",
  "tokenName": "id_token",
  "sid": "tZTzXMjWHeg4en/NP2vmerqt1bzbON1/+f0KCENaLBs=",
  "aud": "apple",
  "c_hash": "3cTesxYgkwXsriCsvN33cA",
  "acr": "0",
  "org.forgerock.openidconnect.ops": "VTGTnw-DjLV3N3oAGIDJw4WAKSc",
  "s_hash": "bKE9UspwyIPg8LsQHkJaiQ",
  "azp": "apple",
  "auth_time": 1658370481,
  "realm": "/ciam",
  "exp": 1658374487,
  "tokenType": "JWTToken",
  "iat": 1658370887
}

In the OIDC Claims Script, I am simply setting the subname to null:

claimAttributes = [
        "email": userProfileClaimResolver.curry("mail"),
        "address": { claim, identity -> [ "address" : userAddressClaimResolver(claim, identity) ] },
        "phone_number": userProfileClaimResolver.curry("telephonenumber"),
        "given_name": userProfileClaimResolver.curry("givenname"),
        "zoneinfo": userProfileClaimResolver.curry("preferredtimezone"),
        "family_name": userProfileClaimResolver.curry("sn"),
        "locale": userProfileClaimResolver.curry("preferredlocale"),
        "name": userProfileClaimResolver.curry("cn"),
  		"subname": { claim, identity -> [ "subname": null ] },
]

NOTE: Do not forget to override this attribute in the OAuth2 Provider service.

Interesting. Ya, did exactly the same here and as mentioned before - observing this issue only for subname.
Thanks for checking this, I will debug this more.
But just curious, do you have reference to the code base where these claims get merged into the master and get spit into the id token? Basically looking for where overrideableOIDCClaims is used.

Also, your sub format is different than mine (usr!demo)
It seems that we are using the old format where the sub has just the value (and not the type), may be this is all related

I have done some more debugging and seems like subname is explicitly set after the override claims. OpenIdConnectToken.java does this.set("subname", subName); after the override. This is done specifically for subname , so am assuming just removing this might break some other use case.

There is another bug, if subject is pairwise - then the subname is still plain identity (beats the purpose of pairwise)

Just for the benefit of someone who might stumble on this in future, the subname removal is working fine in 7.2, can see the fix applied in the code base as well.

Thanks
Josh

1 Like

I wanted to override sub claim “sub”: “(usr!demo)”, to sub:demo.I tried to modified OIDC script but it did’nt work

Hi @scotiasso.

You could just turn off sub uniqueness: org.forgerock.security.oauth2.enforce.sub.claim.uniqueness, see Deployment configuration :: AM 7.4.0.

Or include ‘sub’ in Overrideable Id_Token Claims will allow you to alter the sub claim (in the OAuth2 provider settings, or client’s overrides settings).

Regards
Patrick

Thanks for reply.
I did off earlier but in that case we are not able to see that access log captured the information about userID (for example :userId":"id=clienTIDtest,ou =agent,o=test,ou=services,ou=am-config") only for client credentials assertion grant flow.

I was thinking if someway ,I can override the “sub” claim in OIDC script but no luck.

I think you can override sub in the id-token, just mark it as overridable in the configuration, e.g Overrideable Id_Token Claims setting in the OAuth2 provider or client overrides.

Regards
Patrick

Hi Ptarick,

I am bale to make sub claim customize computedClaims.put(“sub”, identity.getAttribute(“uid”)[0])

But now problem is /introspect endpoint still showing format “sub”:“(usr!demo)” ? How i can change introspect format also.

Thanks,

The introspect endpoint look into the access token, so in this case you need to provide a custom access token modification script.