...
| No | Caveats in 2018-05-16 Moscow (OIDC) |
| C1 | Merchants should not use hardcoded base URLs for supported endpoints that are included in the response from Openid-configuration. The recommened practise is to always use any endpoint URL that is contained in the output from Openid-configuration. |
| C2 | The OIDC Provider currently support multi-audience access tokens but may change its support to single-audience token in the future. See the section on Access Tokens for further information on the recommended integration practise to be prepared for such a future possible change. |
| C3 | The nnin_altsub claim is never part of an Access Token regardless of the presence of this claim in the corresponding ID Token. Resource Servers that are entitled to receive nnin_altsub must be configred to for such access and retrieve this claim via introspection |
| C2C4 | The default userinfo endpoint in Keyacloack Keyacloak <oidc-baseurl>/protocol/openid-connect/userinfo is replaced by a corresponding userinfo endpoint for TINFO. The latter must be used and is reported in .well-knowi/openid-configuration. The default Keycloack userinfo still respons but does not contain any data that is not already part of the ID Token. |
| C3C5 | Access to certain scopes may be granted even if such scopes are not explicitly included in the request to Authorize or Token endpoints. This will happen if the OIDC Client is configured with access to such scopes, and such scopes are defined as default in the OIDC Provider. |
| C4C6 | Scopes requested via Authorize or Token endpoints may be silently ignored without any error to the OIDC Client if (i) the scope value is mis-spelled og (ii) the client in question is not configured for access to the scope(s) in question. To avoid mis-spelling, note that scopes values are case-sensitive. |
| C5C7 | JS Connector login window may not close on Internet Explorer / Edge browsers when Cross-domain messaging is used. If you follow the methods demonstrated in the example using cross-domain messaging from the redirect_uri to the JS Connector instance on the parent page, and you use window method, then you will most likely experience that Internet Explorer blocks the communication between the window and the parent. This can happen when the window being opened is on a different domain than the parent site. To work around this problem, you need to setup an endpoint on your domain as the doInit oauth_url parameter which then redirects to the proper Authorize endpoint. This way the window is opened on your own domain and cross domain messaging should work. |
| C6C8 | Missing or empty query parameteres when calling JS Connector doConnect in certain cases. This is probably due to doInit not being called before doConnect is called for some reason. The oidc-connector-loaded event waits for the page to be loaded before firing. For example, if you call doInit when the OIDC loaded event fires, then if the page load slowly you may have a small window where doConnect is triggered before the doInit call was made. A workaround could be to always call doInit before doConnect or go for synchronous loading. |
...