Can not use "http://example.com/myclaim" as the name for a custom claim #9687
Description
Version
v4.39.4
Deployment Method
Bare-metal
Reverse Proxy
NGINX
Reverse Proxy Version
1.28.0
Description
Our company uses a third-party application that recently introduced OAuth 2.0 authentication support. During configuration, we need to create a custom claim named "http://example.com/myclaim". However, when we attempt to configure this custom claim in Authelia using the full URL as the claim name, Authelia fails to start. While changing the claim name to something simpler like "myclaim" allows Authelia to start successfully, the third-party application specifically requires the URL format for the claim name and this requirement cannot be modified on their end.
I have also attempted several different methods to escape the special characters within the URL, but none of these approaches have been successful.
Reproduction
Add the following configuration to Authelia's config file:
identity_providers:
oidc:
claims_policies:
3rdparty_policy:
custom_claims:
"http://example.com/myclaim":
attribute: 'ioadmin'
clients:
- client_id: '3rdparty'
client_secret: ''
public: true
authorization_policy: 'one_factor'
consent_mode: 'implicit'
redirect_uris:
- 'http://localhost:42420/3rdparty.UIL.Shell'
scopes:
- 'openid'
- 'profile'
- 'groups'
- 'email'
token_endpoint_auth_method: 'none'
claims_policy: '3rdparty_policy'
audience:
- 'https://example.com/api'When Authelia attempts to start with this configuration, it fails due to the URL format used in the custom claim name "http://example.com/myclaim". The issue specifically occurs when using a full URL (including the protocol and domain) as the claim identifier.
This format is required by our third-party application and cannot be changed to a simpler claim name like "myclaim", which would otherwise allow Authelia to start successfully.
Expectations
I expect to be able to use "http://example.com/myclaim" as a custom claim name.
Configuration (Authelia)
Build Information
Last Tag: v4.39.4
State: tagged clean
Branch: v4.39.4
Commit: 3f173e1cd1acda592dcb4aa161f43823d6df1110
Build Number: AUR
Build OS: linux
Build Arch: amd64
Build Compiler: gc
Build Date: Thu, 19 Jun 2025 08:38:11 +0200
Extra:
Go:
Version: go1.24.3
Module Path:
Executable Path: command-line-argumentsLogs (Authelia)
Started Authelia authentication and authorization server.
time="2025-06-19T14:02:22+02:00" level=debug msg="Loaded Configuration Sources" files="[/etc/authelia/configuration.yml]" filters="[]"
time="2025-06-19T14:02:22+02:00" level=debug msg="Logging Initialized" fields.level=debug file= format= keep_stdout=false
time="2025-06-19T14:02:22+02:00" level=debug msg="Process user information" gid=957 gids=958 name="Authelia Daemon User" uid=957 username=authelia
time="2025-06-19T14:02:22+02:00" level=error msg="Configuration: configuration key not expected: identity_providers.oidc.claims_policies.justenough_policy.custom_claims.http://example.com/myclaim.attribute" stack="github.com/authelia/authelia/v4/internal/commands/context.go:189 NewRootCmd.(*CmdCtx).ChainRunE.func1\ngithub.com/spf13/cobra@v1.9.1/command.go:1000 (*Command).execute\ngithub.com/spf13/cobra@v1.9.1/command.go:1148 (*Command).ExecuteC\ngithub.com/spf13/cobra@v1.9.1/command.go:1071 (*Command).Execute\n./main.go:10 main\ninternal/runtime/atomic/types.go:194 (*Uint32).Load\nruntime/asm_amd64.s:1700 goexit"
time="2025-06-19T14:02:22+02:00" level=error msg="Configuration: identity_providers: oidc: claims_policies: justenough_policy: claim with name 'http://example' has an attribute name 'http://example' which is not a known attribute" stack="github.com/authelia/authelia/v4/internal/commands/context.go:189 NewRootCmd.(*CmdCtx).ChainRunE.func1\ngithub.com/spf13/cobra@v1.9.1/command.go:1000 (*Command).execute\ngithub.com/spf13/cobra@v1.9.1/command.go:1148 (*Command).ExecuteC\ngithub.com/spf13/cobra@v1.9.1/command.go:1071 (*Command).Execute\n./main.go:10 main\ninternal/runtime/atomic/types.go:194 (*Uint32).Load\nruntime/asm_amd64.s:1700 goexit"
time="2025-06-19T14:02:22+02:00" level=fatal msg="Can't continue due to the errors loading the configuration" stack="github.com/authelia/authelia/v4/internal/commands/context.go:189 NewRootCmd.(*CmdCtx).ChainRunE.func1\ngithub.com/spf13/cobra@v1.9.1/command.go:1000 (*Command).execute\ngithub.com/spf13/cobra@v1.9.1/command.go:1148 (*Command).ExecuteC\ngithub.com/spf13/cobra@v1.9.1/command.go:1071 (*Command).Execute\n./main.go:10 main\ninternal/runtime/atomic/types.go:194 (*Uint32).Load\nruntime/asm_amd64.s:1700 goexit"
authelia.service: Main process exited, code=exited, status=1/FAILURE
authelia.service: Failed with result 'exit-code'.Logs (Proxy / Application)
Documentation
No response
Generative AI
No
Pre-Submission Checklist
-
I agree to follow the Code of Conduct
-
This is a bug report and not a support request
-
I have read the security policy and this bug report is not a security issue or security related issue
-
I have either included the complete configuration file or I am sure it's unrelated to the configuration
-
I have either included the complete debug / trace logs or the output of the build-info command if the logs are not relevant
-
I have provided all of the required information in full with the only alteration being reasonable sanitization in accordance with the Troubleshooting Sanitization reference guide
-
I have checked for related proxy or application logs and included them if available
-
I have checked for related issues and checked the documentation