FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    OIDC Identity Provider Claims

    Scheduled Pinned Locked Moved Unsolved
    Q&A
    2
    3
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nathan
      last edited by

      When using an external OIDC identity provider where does the email claim get fetched from when attempting to link to a FusionAuth account; the id_token, the access_token or the userinfo JSON?

      I have an id_token from an external IdP that doesn't contain an email address claim but both access_token and userinfo do (under claim http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress which I have setup under Options -> Email claim) but FusionAuth doesn't seem to be picking it up.

      danD 1 Reply Last reply Reply Quote 0
      • danD
        dan @nathan
        last edited by

        @nathan

        Hiya,

        We try to get the email or username from the user info response (found using the access token) and then the id_token.

        You might need to escape the forward slashes in the claim you provide, according to RFC 6901: https://www.rfc-editor.org/rfc/rfc6901

        Can you try that and let us know if the email is picked up? If that was the issue, I'd want to update the documentation to let folks know they need to escape the claim.

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        danD 1 Reply Last reply Reply Quote 0
        • danD
          dan @dan
          last edited by

          Updated the documentation to reflect where the claims are pulled from more precisely: https://github.com/FusionAuth/fusionauth-site/pull/1636

          Please do let me know about the escaping of the claim when you get a chance, @nathan .

          --
          FusionAuth - Auth for devs, built by devs.
          https://fusionauth.io

          1 Reply Last reply Reply Quote 0
          • First post
            Last post