Order of consent interceptors in postAuthenticationFlows matters

[gueuselambix]

I thought I would share this problem, because it took me quite some time to figure this out.
I tried to add some claims to the id_token, but for some reason those attributes did not end up in the id_token (resolving, filtering, etc) was all fine.

relying-party.xml looked like:

<bean parent="OIDC.SSO" p:postAuthenticationFlows="#{ {'impersonate', 'context-check', 'attribute-release', 'terms-of-use'} }" />

The logs:

DEBUG [org.geant.idpextension.oidc.profile.impl.SetConsentToResponseContext:145] - Profile Action SetConsentToResponseContext: Set to response context consented attributes [] and consentable attributes ["givenName","surname","commonName","email","uid","eduPersonOrgUnitDN"] - 

When I put the terms-of-use interceptor before attribute-release it worked:

DEBUG [org.geant.idpextension.oidc.profile.impl.SetConsentToResponseContext:145] - Profile Action SetConsentToResponseContext: Set to response context consented attributes ["givenName","surname","commonName","email","uid","eduPersonOrgUnitDN"] and consentable attributes ["givenName","surname","commonName","email","uid","eduPersonOrgUnitDN"] - 

and all the attributes with placeToIDToken="true" were present in the id_token.

This is probably due to the fact that both the attribute-release and terms-of-use interceptor are using the same ConsentContext.