The following table describes the compatibilities between the legacy tokens (produced by V1 and V2 of the OIDC extension) and V3 of the OIDC OP plugin.
V1-V2 | V3.0.0-V3.0.1 (token/userinfo) | V3.0.2+ (token/userinfo) | |
|---|---|---|---|
1. V1-V2 Authorization code without consent | Uncaught runtime exception in the logs. Response for the client: {"error_description":"RuntimeException","error":"invalid_request"} | ||
2. V1-V2 Authorization code with consent (no claim-values encoded in code) | Uncaught runtime exception in the logs. Response for the client: {"error_description":"RuntimeException","error":"invalid_request"} | Produces tokens acting in the same way as case 5. | |
3. V1-V2 Authorization code with consent (claim-values encoded in code) | Uncaught runtime exception in the logs. Response for the client: {"error_description":"RuntimeException","error":"invalid_request"} | Produces tokens acting in the same way as case 6. | |
4. V1-V2 Refresh/Access tokens without consent | Uncaught runtime exception in the logs. Response for the client: {"error_description":"RuntimeException","error":"invalid_request"} | ||
5. V1-V2 Refresh/Access tokens with consent (no claim-values encoded in token) | Uncaught runtime exception in the logs. Response for the client: {"error_description":"RuntimeException","error":"invalid_request"} | Only claims with name matching the attributeID are returned | |
6. V1-V2 Refresh/Access tokens with consent (claim-values encoded in token) | Uncaught runtime exception in the logs. Response for the client: {"error_description":"RuntimeException","error":"invalid_request"} | The consented claims whose values are encoded (setToToken=”true” on V1/V2 attribute-encoder configuration) in the tokens are returned |
The idp.oidc.encodeConsentInTokens -configuration property on V3.0.0 only affects on the code/tokens produced by the current version - it doesn’t affect on the incoming codes/tokens.