We are in 7.1 and currently the Id token does spit out the subname claim as well. I tried overriding the value using https://backstage.forgerock.com/knowledge/kb/article/a99038127 ,did not work -seems it’s applicable only for core OIDC claims.
Is there an elegant way to achieve this?
Out of curiosity - why do you want to do that?
Now, sub
is an important and REQUIRED
claim in the OIDC Token. Its role is to uniquely identity the end-user at the issuer side. Removing it will certainly make your token non-OIDC compliant. Second, if we were to remove the sub
claim, it can have other side effects. For example and as mentioned in the core OIDC spec, it can be used to validate against token substition attacks when using the UserInfo
endpoint, and matching the sub
value of the UserInfo
with the sub
value of the OIDC Token.
Its subname not the sub
This is what we have in the ID token claim
{
"sub": "hdGIUClsFruOIZdcv1xWByYjbNSuvKMDfKQKCJQAjIw=",
"subname": "44874388-d330-4e7f-97be-904dd133f18e",
......
}
We would like to remove the subname claim as it exposes the user identity
Ah, I misunderstood the claim name. The subname
claim is not included in the OIDC Claims Script
by default. In order to remove this attribute, you can attempt the following:
- In your
OAuth2 Service Provider
>OpenID Connect
>Overrideable Id_Token Claims
> Setsubname
. This basically states that you want to override the value ofsubname
claim viaOIDC Claims Script
. - Then, in your
OIDC Claims Script
set the value ofsubname
claim to empty; - If the value is empty, the
subname
will not be present in your ID Token.
Hope this helps!
Also, I forgot to mention. The value of subname
is partial of the sub
claim value. So, a client application can always infer the value of subname
via sub
claim attribute. Read the below docs for more info:
https://backstage.forgerock.com/docs/am/7.2/oidc1-guide/rest-api-oidc-idtoken-validation.html
Thanks for the response. Yes, I did try these steps but didn’t work. We are able to override some other claims (eg acr) , just that the subname claim override is not working.
Also, one interesting thing we observed is : if we override sub with some random value (say abcd), then subname is gone in the id token (this could be since its derived from sub)
Could you point to any source code where this overriding is actually implemented. I just searched for getOverrideableOIDCClaims() in the public repo and could not find any references.
What version of the Access Manager are you running?
And I tried this in my lab and it works as suggested.
Its 7.1.2
Is this lab something we can try it out as well or private to Forge Rock ?
Apologies for sounding naive, but I have just started exploring Forge Rock and learning on the fly
The lab is basically my local environment for testing. I am also running v7.1.2
and below is a sample of my ID Token:
{
"at_hash": "AmA84BITDP1ZJM7pRI3NlQ",
"sub": "(usr!demo)",
"auditTrackingId": "81c2b800-c5a6-4fea-899e-27a631bfa118-2727",
"iss": "https://identity.sqoopdata.local:17143/am/oauth2/realms/root/realms/ciam",
"tokenName": "id_token",
"sid": "tZTzXMjWHeg4en/NP2vmerqt1bzbON1/+f0KCENaLBs=",
"aud": "apple",
"c_hash": "3cTesxYgkwXsriCsvN33cA",
"acr": "0",
"org.forgerock.openidconnect.ops": "VTGTnw-DjLV3N3oAGIDJw4WAKSc",
"s_hash": "bKE9UspwyIPg8LsQHkJaiQ",
"azp": "apple",
"auth_time": 1658370481,
"realm": "/ciam",
"exp": 1658374487,
"tokenType": "JWTToken",
"iat": 1658370887
}
In the OIDC Claims Script
, I am simply setting the subname
to null
:
claimAttributes = [
"email": userProfileClaimResolver.curry("mail"),
"address": { claim, identity -> [ "address" : userAddressClaimResolver(claim, identity) ] },
"phone_number": userProfileClaimResolver.curry("telephonenumber"),
"given_name": userProfileClaimResolver.curry("givenname"),
"zoneinfo": userProfileClaimResolver.curry("preferredtimezone"),
"family_name": userProfileClaimResolver.curry("sn"),
"locale": userProfileClaimResolver.curry("preferredlocale"),
"name": userProfileClaimResolver.curry("cn"),
"subname": { claim, identity -> [ "subname": null ] },
]
NOTE: Do not forget to override this attribute in the OAuth2 Provider
service.
Interesting. Ya, did exactly the same here and as mentioned before - observing this issue only for subname.
Thanks for checking this, I will debug this more.
But just curious, do you have reference to the code base where these claims get merged into the master and get spit into the id token? Basically looking for where overrideableOIDCClaims is used.
Also, your sub format is different than mine (usr!demo)
It seems that we are using the old format where the sub has just the value (and not the type), may be this is all related
I have done some more debugging and seems like subname is explicitly set after the override claims. OpenIdConnectToken.java
does this.set("subname", subName);
after the override. This is done specifically for subname , so am assuming just removing this might break some other use case.
There is another bug, if subject is pairwise - then the subname is still plain identity (beats the purpose of pairwise)
Just for the benefit of someone who might stumble on this in future, the subname removal is working fine in 7.2, can see the fix applied in the code base as well.
Thanks
Josh
I wanted to override sub claim “sub”: “(usr!demo)”, to sub:demo.I tried to modified OIDC script but it did’nt work
Hi @scotiasso.
You could just turn off sub uniqueness: org.forgerock.security.oauth2.enforce.sub.claim.uniqueness
, see Deployment configuration :: AM 7.4.0.
Or include ‘sub’ in Overrideable Id_Token Claims
will allow you to alter the sub
claim (in the OAuth2 provider settings, or client’s overrides settings).
Regards
Patrick
Thanks for reply.
I did off earlier but in that case we are not able to see that access log captured the information about userID (for example :userId":"id=clienTIDtest,ou =agent,o=test,ou=services,ou=am-config") only for client credentials assertion grant flow.
I was thinking if someway ,I can override the “sub” claim in OIDC script but no luck.
I think you can override sub
in the id-token, just mark it as overridable in the configuration, e.g Overrideable Id_Token Claims
setting in the OAuth2 provider or client overrides.
Regards
Patrick
Hi Ptarick,
I am bale to make sub claim customize computedClaims.put(“sub”, identity.getAttribute(“uid”)[0])
But now problem is /introspect endpoint still showing format “sub”:“(usr!demo)” ? How i can change introspect format also.
Thanks,
The introspect endpoint look into the access token, so in this case you need to provide a custom access token modification script.