Enhance OIDC Client: Read Claims From UserInfo Endpoint

This article delves into a crucial feature request for OIDC (OpenID Connect) compatible clients, specifically the ability to read claims from the UserInfo endpoint. Currently, many OIDC clients, including KitchenOwl, primarily extract claims from the ID token. However, this approach can lead to limitations, especially when dealing with OIDC providers like Authelia that don't hydrate the ID token with all claims by default.

The Importance of Reading Claims from UserInfo Endpoint

OpenID Connect (OIDC), as an authentication layer on top of OAuth 2.0, provides a standardized method for verifying the identity of users. Central to OIDC is the concept of claims, which are pieces of information about the user, such as their name, email address, and other attributes. These claims are typically transmitted within the ID token or accessible via the UserInfo endpoint.

In many OIDC implementations, the ID token is intentionally kept lean for security and performance reasons. Critical user information, including email addresses and other personal details, should be retrieved from the UserInfo endpoint. This endpoint provides a more secure and flexible way to manage user data, allowing providers to control which claims are exposed and when.

Failing to support claim retrieval from the UserInfo endpoint can result in a degraded user experience. For instance, when a user creates a new account by logging in through OIDC, the application may not be able to automatically populate essential fields such as username, email, and name, as these claims might not be present in the ID token. This issue necessitates workarounds, such as defining custom claims policies, to ensure the application receives the necessary user information.

The Problem: Claims Missing from ID Token

One significant issue arises when OIDC providers, such as Authelia, do not include all user claims in the ID token by default. This is a deliberate design choice to enhance security and performance. Instead, these providers expect clients to query the UserInfo endpoint to obtain the full set of user attributes. When OIDC clients are not configured to read claims from this endpoint, they miss out on crucial user information.

Consider the scenario where a user logs in to an application via OIDC. If the application only extracts claims from the ID token, and the provider hasn't populated the ID token with essential details like the user's email address, the application won't have this information. This can lead to a frustrating user experience, as the application may not be able to personalize the user interface or send important notifications.

The screenshot provided in the original feature request illustrates this problem clearly. When creating a new account through OIDC, the username, email, and name fields are left empty because the application isn't retrieving these claims from the UserInfo endpoint. This lack of information hinders the user onboarding process and can lead to user dissatisfaction.

The Workaround: Custom Claims Policies

Currently, one way to address the issue of missing claims is to implement a workaround by defining custom claims policies within the OIDC provider. For example, in Authelia, you can create a policy that explicitly specifies which claims should be included in the ID token. While this approach can be effective, it has several drawbacks.

Custom claims policies add complexity to the OIDC configuration. Administrators need to define and maintain these policies, which can be time-consuming and error-prone. Additionally, this approach tightly couples the OIDC client's requirements with the provider's configuration. If the client needs additional claims, the policy must be updated accordingly. This lack of flexibility can be a significant issue in dynamic environments.

Furthermore, relying solely on custom claims policies can undermine the security benefits of using the UserInfo endpoint. By including sensitive information in the ID token, you increase the risk of exposure if the token is compromised. The UserInfo endpoint allows for more granular control over which claims are exposed, reducing the potential impact of a security breach.

Here’s an example of a custom claims policy in Authelia, as provided in the feature request:

identity_providers:
  oidc:
    claims_policies:
      kitchenowl:
        id_token:
        - email
        - email_verified
        - alt_emails
        - preferred_username
        - name

This policy explicitly adds several claims to the ID token, ensuring that the client receives the necessary user information. However, as discussed, this is a workaround and not the ideal solution.

The Solution: Supporting UserInfo Endpoint Claims

The most effective solution to this problem is for OIDC clients to natively support reading claims from the UserInfo endpoint. This approach aligns with the OIDC specification and best practices, providing a more secure and flexible way to manage user information.

By implementing UserInfo endpoint support, OIDC clients can dynamically retrieve the required claims without relying on custom policies or pre-configured settings. This flexibility allows applications to adapt to different OIDC providers and configurations seamlessly. It also enhances security by minimizing the amount of sensitive information stored in the ID token.

Supporting UserInfo endpoint claims involves several key steps:

1. Fetching the UserInfo Endpoint URL: The client needs to retrieve the UserInfo endpoint URL from the OIDC provider's discovery document. This document, typically located at a well-known endpoint (/.well-known/openid-configuration), contains metadata about the provider, including the URL for the UserInfo endpoint.
2. Making the Request: Once the client has the UserInfo endpoint URL, it can make a request to this endpoint using the access token obtained during the authentication flow. The access token acts as proof of authorization and allows the client to access the user's claims.
3. Parsing the Response: The UserInfo endpoint returns a JSON response containing the user's claims. The client needs to parse this response and extract the relevant claims for use within the application.

Implementing these steps ensures that the OIDC client can retrieve the full set of user claims, regardless of whether they are included in the ID token. This approach provides a robust and standards-compliant solution to the problem of missing claims.

Benefits of Reading Claims from UserInfo Endpoint

There are several significant benefits to implementing UserInfo endpoint support in OIDC clients:

• Enhanced Security: By minimizing the amount of sensitive information in the ID token, you reduce the risk of data exposure if the token is compromised. The UserInfo endpoint allows for more granular control over claim access.
• Improved Flexibility: Clients can adapt to different OIDC providers and configurations without requiring custom policies or workarounds. This flexibility simplifies integration and maintenance.
• Standards Compliance: Reading claims from the UserInfo endpoint aligns with the OIDC specification and best practices, ensuring interoperability and compatibility.
• Better User Experience: Applications can seamlessly retrieve all necessary user information, providing a smoother and more personalized user experience.
• Simplified Configuration: Administrators don't need to define and maintain custom claims policies, reducing complexity and the risk of errors.

By embracing UserInfo endpoint support, OIDC clients can provide a more secure, flexible, and user-friendly authentication experience.

Conclusion

In conclusion, the ability to read claims from the UserInfo endpoint is a crucial feature for OIDC compatible clients. This approach aligns with OIDC standards, enhances security, and provides greater flexibility in managing user information. By supporting UserInfo endpoint claims, applications can avoid the limitations of relying solely on ID tokens and deliver a better user experience.

Implementing this feature request will significantly improve the interoperability and robustness of OIDC clients, ensuring they can seamlessly integrate with various OIDC providers and configurations. This enhancement will ultimately lead to more secure and user-friendly applications.

For more information on OpenID Connect and the UserInfo endpoint, visit the OpenID Foundation website.