OpenID Connect Core Implicit OP: email and verified_email claims not included in ID token

[tnorimat]

Description

To get around warnings from OpenID Connect Core Implicit OP conformance tests completely, it is needed include email and email_veified claims in ID token when an authorization request includes email scope value.

Discussion

OIDC OP basic and hybrid conformance test requires keycloak to include email and email_verified in only a UserInfo endpoint response while OIDC OP implicit and formpost implicit conformance test requires keycloak to include email and email_verified in both a UserInfo endpoint response and an ID token.

Affected tests are as follows:

• Implicit OP (Test Plan: oidcc-implicit-certification-test-plan)

  • Test Name: oidcc-scope-email
  • Test Name: oidcc-scope-all
  • Test Name: oidcc-ensure-other-scope-order-succeeds

• Form Post OP (implicit) (Test Plan: oidcc-formpost-implicit-certification-test-plan)

  • Test Name: oidcc-scope-email
  • Test Name: oidcc-scope-all
  • Test Name: oidcc-ensure-other-scope-order-succeeds

Conformance suite version is release-v4.1.41.

Motivation

No response

Details

The current automated conformance test run environment, all OIDC OP conformance tests uses a single realm setting file that only includes one realm due to keycloak's specification.

If we could create the following two client scopes, the issue could be resolved:

• Client scope whose name is email. It includes email and email_verified in both a UserInfo endpoint response and an ID token. It can be used for OIDC OP implicit and formpost implicit conformance test.
• Client scope whose name is email. It includes email and email_verified in only a UserInfo endpoint response. It can be used for OIDC OP basic and hybrid conformance test.

However, keycloak cannnot allow us to create client scopes with the same name. Therefore, just one idea is as follows:

• Prepare a realm for each type of OIDC OP conformance test.