OIDC legacy token (in)compatibilities

The following table describes the compatibilities between the legacy tokens (produced by V1 and V2 of the OIDC extension) and V3 of the OIDC OP plugin.

 

V1-V2

V3.0.0-V3.0.1 (token/userinfo)

V3.0.2+ (token/userinfo)

 

V1-V2

V3.0.0-V3.0.1 (token/userinfo)

V3.0.2+ (token/userinfo)

1. V1-V2 Authorization code without consent

 

Uncaught runtime exception in the logs. Response for the client:

{"error_description":"RuntimeException","error":"invalid_request"}

 

2. V1-V2 Authorization code with consent

(no claim-values encoded in code)

 

Uncaught runtime exception in the logs. Response for the client:

{"error_description":"RuntimeException","error":"invalid_request"}

Produces tokens acting in the same way as case 5.

3. V1-V2 Authorization code with consent

(claim-values encoded in code)

 

Uncaught runtime exception in the logs. Response for the client:

{"error_description":"RuntimeException","error":"invalid_request"}

Produces tokens acting in the same way as case 6.

4. V1-V2 Refresh/Access tokens without consent

 

Uncaught runtime exception in the logs. Response for the client:

{"error_description":"RuntimeException","error":"invalid_request"}

 

5. V1-V2 Refresh/Access tokens with consent

(no claim-values encoded in token)

 

Uncaught runtime exception in the logs. Response for the client:

{"error_description":"RuntimeException","error":"invalid_request"}

Only claims with name matching the attributeID are returned

See JOIDC-19: Applying consent to back-channel uses the wrong attribute namesClosed

6. V1-V2 Refresh/Access tokens with consent

(claim-values encoded in token)

 

Uncaught runtime exception in the logs. Response for the client:

{"error_description":"RuntimeException","error":"invalid_request"}

The consented claims whose values are encoded (setToToken=”true” on V1/V2 attribute-encoder configuration) in the tokens are returned

The idp.oidc.encodeConsentInTokens -configuration property on V3.0.0 only affects on the code/tokens produced by the current version - it doesn’t affect on the incoming codes/tokens.