Hi, I'm using CAS 6.1.0-RC5 and I found 2 issues regarding OpenID Connect claims releasing. I'd like a confirmation before making a PR for that.
1) I've created a custom scope with cas.authn.oidc.userDefinedScopes.groups=groups (a custom scope named "groups", with a claim "groups") The attribute "groups" is correctly populated, and CAS asked the consent for scope "groups"; however, it did not release the claim. After debugging, I found that the issue was here: https://github.com/apereo/cas/blob/991991fae/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/profile/OidcProfileScopeToAttributesFilter.java#L138 Actually, variable "scopes" contained "groups", but "attributeReleasePolicies" contained "custom". I could change getScopeType() to getScopeName() here, <https://github.com/apereo/cas/blob/991991fae/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/profile/OidcProfileScopeToAttributesFilter.java#L176> however it was a recent change from PR https://github.com/apereo/cas/pull/3916, so I guess there was a reason for that... 2) I've created a claim mapping : cas.authn.oidc.claimsMap.email=mail (mapping claim "email" to my attribute "mail") The attribute "mail" is resolved, then the claim "email" is created, mapped to "mail". However, when I debug "BaseOidcScopeAttributeReleasePolicy", I find that my resolved attribute is "email" (it has already been mapped). Then, in function "mapClaimToAttribute", no value is found for my attribute, because it looks for an attribute named "mail". I suppose it could be a recent regression from commit 1f4e968fa0. Regards -- You received this message because you are subscribed to the Google Groups "CAS Developer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/f5924de8-e3de-406c-9e13-c49aa68e41af%40apereo.org.
