OIDC Identity Provider Claims
-
When using an external OIDC identity provider where does the email claim get fetched from when attempting to link to a FusionAuth account; the id_token, the access_token or the userinfo JSON?
I have an id_token from an external IdP that doesn't contain an email address claim but both access_token and userinfo do (under claim http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress which I have setup under Options -> Email claim) but FusionAuth doesn't seem to be picking it up.
-
Hiya,
We try to get the email or username from the user info response (found using the access token) and then the id_token.
You might need to escape the forward slashes in the claim you provide, according to RFC 6901: https://www.rfc-editor.org/rfc/rfc6901
Can you try that and let us know if the email is picked up? If that was the issue, I'd want to update the documentation to let folks know they need to escape the claim.
--
FusionAuth - Auth for devs, built by devs.
https://fusionauth.io -
Updated the documentation to reflect where the claims are pulled from more precisely: https://github.com/FusionAuth/fusionauth-site/pull/1636
Please do let me know about the escaping of the claim when you get a chance, @nathan .
