Hello,
I’m trying to replace the sub claim on the AccessToken but I’m facing an issue which I can’t explain.
While replacing the sub claim, if the replacement is done with a oidc-usermodel-attribute-mapper, the token validation will fail on Envoy with an “Invalid JWT” message.
Here’s the protocolMapper as is in the realm-export.json file:
{
"id": "6b15d413-71da-4adc-a026-37289c359f0b",
"name": "originalid-subject-mapper",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-attribute-mapper",
"consentRequired": false,
"config": {
"userinfo.token.claim": "true",
"user.attribute": "originalId",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "sub",
"jsonType.label": "String"
}
}
However, doing exactly the same thing (meaning, the final AccessToken is exactly the same) with a oidc-script-based-protocol-mapper works just fine and the validation works.
Here’s the config also from the realm file:
{
"id": "54bc90bb-6ca5-4a91-aea6-2e864491cfc0",
"name": "originalid-subject-mapper",
"protocol": "openid-connect",
"protocolMapper": "oidc-script-based-protocol-mapper",
"consentRequired": false,
"config": {
"userinfo.token.claim": "true",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "sub",
"jsonType.label": "String",
"script": "token.setSubject(user.getFirstAttribute(\"originalId\"));"
}
}
Why does this happen? It’s totally baffling me