Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-131528

As an Instance Admin, I can integrate DXP with Azure AD B2C through OpenID Connect by allowing the user claims to be returned from the ID Token

Details

    Description

      Motivation

      Apparently, Azure AD B2C does not have a /userinfo endpoint, and our current OIDC auth logic relies on that endpoint.

      As per https://openid.net/specs/openid-connect-core-1_0.html#IDToken, ID Tokens may include additional claims. As per https://openid.net/specs/openid-connect-core-1_0.html#StandardClaimsThis specification defines a set of standard Claims. They can be requested to be returned either in the UserInfo Response, per Section 5.3.2, or in the ID Token, per Section 2. According to our tests, the ID Token returned by B2C includes the 3 necessary claims we need: email, given_name, family_name, see https://github.com/liferay/liferay-portal/blob/7.3.5-ga6/modules/apps/portal-security-sso/portal-security-sso-openid-connect-impl/src/main/java/com/liferay/portal/security/sso/openid/connect/internal/OpenIdConnectUserInfoProcessorImpl.java#L49-L61.

      Therefore, we could adjust the logic in OpenIdConnectServiceHandlerImpl to be able to retrieve the claims from the ID Token when there is no /userinfo endpoint available. (As far as we can see, https://openid.net/specs/openid-connect-core-1_0.html#UserInfo does not mention that the providers must provide this endpoint.)

      Acceptance Criteria

      Attachments

        Issue Links

          Activity

            People

              support-lep@liferay.com SE Support
              zsigmond.rab Zsigmond Rab
              Nóra Szél Nóra Szél
              Votes:
              2 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:

                Packages

                  Version Package