OIDC UserInfo endpoint returning variable placeholders

I’m using OIDC to authenticate and get an id_token and access token. In order to keep the size of the id_token down, I am using the standard claims parameter to specify that some claims are only returned from the UserInfo endpoint and not included in the id_token. However, when I query the UserInfo endpoint, I am getting back raw template variables for any computed attributes. For example:

curl -X POST -H "Authorization: Bearer <redacted>" https://<redacted>.id.forgerock.io/am/oauth2/realms/root/realms/bravo/userinfo
{"name":"{{givenName}} {{sn}}","family_name":"Madden","given_name":"Neil", ... }

Note the "name":"{{givenName}} {{sn}}" value in the result. Presumably this should have been substituted before the result was returned?

I’ve discovered that this issue only occurs for users created via the IDM Native Console. In other cases, the name resolves correctly.

If you view two users - one created via IDM console, one created via other means - do you see any differences between the two? Assuming there are no major modifications to your OIDC claims script to read data from other sources we’d want to look at the users in the Identity Store for this AM realm.

Yes, users created via the IDM console have a cn attribute set to the literal string “{{givenName}} {{sn}}”, whereas users created in other ways have this filled in with the correct values. There is some customisation of the OIDC claims script, but that is just adding some extra fields and doesn’t modify any of the existing ones (and anyway, wouldn’t impact the attribute values displayed in the AM native console subjects list, which also shows the issue).

Ah, ok, so it sounds like the issue isn’t with AM or OIDC but is actually an issue with how you are populating the cn attribute of users in your directory via IDM. I’d suggest taking a look at the sync mapping between IDM and your directory.