After upgrade to 12.8.08.01, new parameters appear in the token and break our application
Article ID: 402214
Updated On:
Products
Issue/Introduction
After upgrade to 12.8.08.01, new parameters appear in the ID token and break our application. There is this error now:
[ERROR ] SRVE0777E: Exception thrown by application class 'com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException.from:61'
com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "sid" (class com.company.clmpurgeJPA.beans.ClientInfoBean), not marked as ignorable (11 known properties: "sub", "lastname", "auth_time", "GroupNames", "firstname", "iat", "exp", "aud", "iss", "email", "groupNames"])
Before the upgrade the token parameter "sid" was not present in 12.8.7.
Environment
Policy Server 12.8.08.01
Any OS
Cause
New Parameters in ID Token: SiteMinder now includes the sid (session ID) and jti (token identifier in a session store) parameters in an ID Token.
The sid and an additional jti parameter were added to the ID Token post 12.8.08.
Resolution
The addition of these new token parameters are within the OpenID spec
OpenID Connect Core 1.0 incorporating errata set 2
2. ID Token
The primary extension that OpenID Connect makes to OAuth 2.0 to enable End-Users to be Authenticated is the ID Token data structure. The ID Token is a security token that contains Claims about the Authentication of an End-User by an Authorization Server when using a Client, and potentially other requested Claims. The ID Token is represented as a JSON Web Token (JWT) [JWT].
<...>
ID Tokens MAY contain other Claims. Any Claims used that are not understood MUST be ignored. See Sections 3.1.3.6, 3.3.2.11, 5.1, and 7.4 for additional Claims defined by this specification.
This is not a SiteMinder limitation or requirement. Per spec, any applications need to be modified to ignore the new token parameters(claims) if they are not used.
Feedback
