Solutions
ForgeRock Identity Cloud

Profile scope claims are missing from the OIDC ID token in Identity Cloud

Last updated Mar 3, 2022

The purpose of this article is to provide assistance if Profile scope claims are missing from the ID token but other claims are present and you have verified all the settings used for the OpenID Connect (OIDC) Claims script in ForgeRock Identity Cloud are correct. You will see "Claims Script start with identity: null" errors when this happens if you add a logger to your OIDC claims script.


Symptoms

Profile scope claims (such as name, given_name and family_name) are missing from the ID token when it is decoded, but claims for other requested scopes are present. For example, your decoded token looks similar to this:{ "at_hash": "PtgPFhutEQ4eHK1_nEVmPQ",   "sub": "bddb135d-f6b7-4933-bb9e-525d436d48bb",   "auditTrackingId": "6a8d9c63-3154-4094-8713-63e19368d518-27339",   "subname": "bddb135d-f6b7-4933-bb9e-525d436d48bb",   "iss": "https://<tenant-name>.forgeblocks.com/am/oauth2/realms/root/realms/alpha",   "tokenName": "id_token",   "sid": "s+g7AVR2lNE6C9t3jx+Tn9VBPO7yVn2xMLHrpH2NAjA=",   "aud": "<client_name>",   "c_hash": "t8R_lQDDmeQRQe3Pbfn6rg",   "acr": "0",   "org.forgerock.openidconnect.ops": "5-kDQ_4m8XueDlHI0x6mYuKG9To",   "azp": "<client_name>",   "auth_time": 1637582507,   "realm": "/alpha",   "exp": 1637586136,   "tokenType": "JWTToken",   "iat": 1637582536 }

But you were expecting it to look like this (with name, given_name and family_name claims included):{ "at_hash": "PtgPFhutEQ4eHK1_nEVmPQ",   "sub": "bddb135d-f6b7-4933-bb9e-525d436d48bb",   "auditTrackingId": "6a8d9c63-3154-4094-8713-63e19368d518-27339",   "subname": "bddb135d-f6b7-4933-bb9e-525d436d48bb",   "iss": "https://<tenant-name>.forgeblocks.com/am/oauth2/realms/root/realms/alpha",   "tokenName": "id_token",   "given_name": "John",   "sid": "s+g7AVR2lNE6C9t3jx+Tn9VBPO7yVn2xMLHrpH2NAjA=",   "aud": "<client_name>",   "c_hash": "t8R_lQDDmeQRQe3Pbfn6rg",   "acr": "0",   "org.forgerock.openidconnect.ops": "5-kDQ_4m8XueDlHI0x6mYuKG9To",   "azp": "<client_name>",   "auth_time": 1637582507,   "name": "John Doe",   "realm": "/alpha",   "exp": 1637586136,   "tokenType": "JWTToken",   "iat": 1637582536,   "family_name": "Doe" }

Further investigation

You can add a logger to your OIDC claims script to verify you are experiencing the issue outlined in this article as follows: 

  1. Add the following logger statement to your OIDC claims script; this should be added immediately below the initial comment block:logger.warning('OpenAMScopeValidator.OIDCClaimScript:Message: Claims Script start with identity: ' + identity);
  2. Repeat the steps to obtain the ID token.
  3. Access the am-core debug log; you can tail this log as described in Tail Logs.
  4. Search the am-core debug log for the following message: Claims Script start with identity. The rest of this message will show either null or the profile ID value, for example:
    • Null:"message":"OpenAMScopeValidator.OIDCClaimScript:Message: Claims Script start with identity: null"If the identity is null, it confirms you are experiencing the same issue outlined in this article.
    • Profile ID value:"message": "OpenAMScopeValidator.OIDCClaimScript:Message: Claims Script start with identity: AMIdentity object: id=bddb135d-f6b7-4933-bb9e-525d436d48bb,ou=user,o=alpha,ou=services,ou=am-config",If the profile ID value is shown, this confirms a user ID was passed to the OIDC claims script and you are not experiencing the issue in this article. If this happens, you should re-check all the settings used for the OIDC Claims script are correct. 

See What logging sources are available in Identity Cloud? for further information on the am-core debug log. 

Recent Changes

Changed the User Profile setting to Ignored.

Causes

The OIDC claims script needs a valid user ID to be passed in during authentication in order to retrieve the Profile scope claims for the user and then add them to the ID token. 

When the User Profile option is set to Ignored, the authentication process doesn't check whether a user profile exists and therefore doesn't retrieve any details from it such as the user ID. As a result, a null user ID value is passed to the OIDC claims script, which prevents any profile-related claims from being retrieved and added to the ID token.

This is also true of the Access Token if it has been modified to include claims.

Solution

This issue can be resolved by changing the User Profile setting to something other than Ignored. You can do this as follows:

  1. In the Identity Cloud Admin UI, navigate to Native Consoles > Access Management > Authentication > Settings > User Profile and select the required option from the User Profile field.
  2. Click Save Changes.

See Also

How do I make session properties from a journey available in the OIDC ID token in Identity Cloud?

How do I override claims in the OIDC ID token in Identity Cloud or AM 7.1.x?

Core Authentication Attributes


Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.