Claim missing with wlcg enabled client

[dmichelotto]

If I create a client with these scopes "openid profile offline_access email wlcg wlcg.groups", that enable the wlcg profile for that client, and generate a token with that client, claim like email, preferred_username are missing. These claims are required in openstack keystone mapping for our security policy.

[enricovianello]

Probably you have property iam.access_token.include_authn_info: true in your application.yml file that enable the additional claims you mentioned into your access token. This variable is not used within the WLCG JWT profile so a fix could be making the setting of that property relevant also in case of a WLCG JWT. But we need to understand if this is compatible with WLCG profile. I guess yes but If not, an alternative could be providing you a new JWT profile that extends the WLCG one and adds those additional claims. We need to discuss this internally. We'll let you know.

[dmichelotto]

Many thanks for the explanation. I'll wait for your response.

[maarten-litmaath]

Hi all,
adding existing standard claims should be fine.