[Migration] Local claims without "http://wso2.org/claims" are dropped when user provisioning. #26356
Description
Description
In Identity Server 5.7, there is no restriction on creating local claims without the http://wso2.org/claims prefix. For example, a claim can simply be created as test instead of http://wso2.org/claims/test.
However, when this setup is migrated to Identity Server 7.1, such claims are dropped during the JIT provisioning flow [1]. As a result, the attributes of JIT-provisioned users are lost.
To prevent this data loss, the migration client should validate local claim names during migration. If any local claim is found without the http://wso2.org/claims prefix, the migration client should either automatically add the prefix during migration or fail the migration with a clear error message instructing that the claims must be corrected before proceeding.
Steps to Reproduce
- Create a claim called 'test' in IS 5.7 without the prefix "http://wso2.org/claims/"
- Migrate the setup to 7.1
- Configure the JIT provisioning
- Request the above-created claim
- Observe the ID token containing the claims properly, but UM_USER_ATTRIBUTE table does not contain it.
Please select the area issue is related to
Authentication & Registration
Version
7.2
Environment Details (with versions)
No response
Developer Checklist
- [Behavioural Change] Does this change introduce a behavioral change to the product?
- ↳ Approved by team lead
- ↳ Label
impact/behavioral-changeadded - [Migration Impact] Does this change have a migration impact?
- ↳ Migration label added (e.g.,
7.2.0-migration) - ↳ Migration issues created and linked
- [New Configuration] Does this change introduce a new configuration?
- ↳ Label
configadded - ↳ Configuration is properly documented