-
We are facing errors that appear to be due to a mismatch of letter cases:
It looks like mod_auth_openidc does a case-sensitive comparison. According to our IAM team, these values are not case-sensitive since the underlying data is not case sensitive. For this reason, the comparison should ignore the case of the letters. Is there any way, to configure mod_auth_openidc to do a case-insensitive comparison? |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 1 reply
-
The spec https://openid.net/specs/openid-connect-core-1_0.html#IDToken says:
So the value of
Hence mod_auth_openidc's implementation is spec-compliant, as claimed. If we were to loosen this, it would probably also break certification conformance testing (https://openid.net/certification) |
Beta Was this translation helpful? Give feedback.
-
Is there a way on the other hand to make the Thank you |
Beta Was this translation helpful? Give feedback.
-
you can use a PCRE regular expression in the "claim" value, see /applis/asif/apache/domaineASI/conf/extra/oidc.conf |
Beta Was this translation helpful? Give feedback.
The spec https://openid.net/specs/openid-connect-core-1_0.html#IDToken says:
So the value of
sub
is case sensitive by definition. Upon receiving the userinfo response, the spec https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse dictates: