Skip to Main Content
Status Unlikely to implement
Categories User management
Created by Guest
Created on Jun 4, 2020

Make the JWT claims OIDC conformant

The first_name and last_name claims required by Aha! are not OIDC conformant, leading to duplicate information in previously conformant JWT tokens. This increases the size of tokens. This can also make it harder to use a common token for Aha! and other services that are OIDC conformant.

The fix is pretty simple - support the OIDC conformant claims of "given_name" and "family_name" in place of "first_name" and "last_name".

OIDC 1.0 standard claims: https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims

  • Attach files
  • Guest
    Jun 13, 2020

    Thank you for the response. You guys will likely need to deal with OIDC in the not too distant future. Identity service providers, such as Auth0 and Okta, are beginning to deprecate non-OIDC conformant tokens:

    https://auth0.com/docs/api-auth/tutorials/adoption#my-application-works-just-fine-why-should-i-update-

    New security features, at least for Auth0, are only being added to OIDC conformant tokens. This is making it more difficult for me to integrate non-OIDC conformant systems into SSO for our customers (we are setting up SSO from our SaaS offering to our Aha! Ideas page). At some point I will be forced to choose between:

    1. Not enabling a key security feature for our service because we can't be OIDC compliant

      1. due to Aha! JWT requirements

    2. Forcing a customer to authenticate separately to Aha! Ideas

    3. Moving to another provider that can accept OIDC conformant JWT for equivalent Aha! Ideas submittal

    Options 1 and 2 are not workable long-term.

  • Admin
    Chris Waters
    Jun 5, 2020

    The JWT implementation in Aha! predates the OIDC specification. Unfortunately the current implementation does not make it possible to add aliases for for the claims and we cannot change the existing claims without breaking backwards compatibility.