OIDC legacy token (in)compatibilities
- Henri Mikkonen
- Rod Widdowson
The following table describes the compatibilities between the legacy tokens (produced by V1 and V2 of the OIDC extension) and V3 of the OIDC OP plugin.
| V1-V2 | V3.0.0-V3.0.1 (token/userinfo) | V3.0.2+ (token/userinfo) |
|---|---|---|---|
1. V1-V2 Authorization code without consent |
| Uncaught runtime exception in the logs. Response for the client: {"error_description":"RuntimeException","error":"invalid_request"} |
|
2. V1-V2 Authorization code with consent (no claim-values encoded in code) |
| Uncaught runtime exception in the logs. Response for the client: {"error_description":"RuntimeException","error":"invalid_request"} | Produces tokens acting in the same way as case 5. |
3. V1-V2 Authorization code with consent (claim-values encoded in code) |
| Uncaught runtime exception in the logs. Response for the client: {"error_description":"RuntimeException","error":"invalid_request"} | Produces tokens acting in the same way as case 6. |
4. V1-V2 Refresh/Access tokens without consent |
| Uncaught runtime exception in the logs. Response for the client: {"error_description":"RuntimeException","error":"invalid_request"} |
|
5. V1-V2 Refresh/Access tokens with consent (no claim-values encoded in token) |
| Uncaught runtime exception in the logs. Response for the client: {"error_description":"RuntimeException","error":"invalid_request"} | Only claims with name matching the attributeID are returned |
6. V1-V2 Refresh/Access tokens with consent (claim-values encoded in token) |
| Uncaught runtime exception in the logs. Response for the client: {"error_description":"RuntimeException","error":"invalid_request"} | The consented claims whose values are encoded (setToToken=”true” on V1/V2 attribute-encoder configuration) in the tokens are returned |
The idp.oidc.encodeConsentInTokens -configuration property on V3.0.0 only affects on the code/tokens produced by the current version - it doesn’t affect on the incoming codes/tokens.