Dear community,
I have setup the following:
- CAS 5.2 from maven overlay
- JDBC query authentification along custom attributes.
- All custom attribute are added
to cas.authn.attributeRepository.defaultAttributesToRelease
- JSON service to allow using CAS from moodle
- It includes the following to release all attribute and disable consent
"attributeReleasePolicy":
{
"@class": "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"principalAttributesRepository":
{
"@class":
"org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository",
"expiration": 2,
"timeUnit": "HOURS"
},
"consentPolicy":
{
"@class":
"org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy",
"enabled": false
},
"authorizedToReleaseAuthenticationAttributes": true
}
- OIDC configuration into cas.properties
- cas.authn.oidc.scopes=openid,mycustom
-
cas.authn.oidc.claims=openid,sub,name,preferred_username,family_name,given_name,middle_name,given_name,nickname,email
- I created a mapping to all these claims using my custom attributes
- All custom attributes are listed
into cas.authn.oidc.userDefinedScopes.mycustom
- For each custom attribute in jdbc, I have a mapping even if they
have same name so it should not be required
- JSON service to allow test oidc client
- It includes the same attribute release policy block
- It also includes the custom scope
"scopes": [ "java.util.HashSet", [ "mycustom" ] ]
I can log both with CAS login or from my moodle. The authentification works
and the attributes are resolves properly.
The problems are as follow:
- Testing oidc
using https://bitbucket.org/connect2id/openid-connect-dev-client bring me
to the login page, authentication is working and the attributes are
properly fetched.
- I am sure about that as the consent page is shown with all the
attributes and proper values from my db. The issue is that the enable flag
is set to false in my json.
- On accept an error is shown about not proper login time. The java is
more interresting:
Error: Exception thrown executing
org.apereo.cas.web.flow.ConfirmConsentAction@39d73eea in state
'confirmAttributeConsent' of flow 'login' -- action execution attributes
were 'map[[empty]]'
- Starting the server with debug message show that the oidc client
service is properly loaded. I can see my value in the console. After the
first load a message is show about scope / claim reconcilation. In that new
message the content block is replaced by:
[excludeAttributes=<null>,includeOnlyAttributes=<null>,enabled=true]
- Reconciliation always end with the null,null,true regardless of the
json content
- authorizedToReleaseAuthenticationAttributes after reconciliation
matches what is in the json
What I am doing wrong? I have some suspicion about the following but I
failed to assert them properly.
- Looks like jdbc query expect some predefined & default fields and
names but I have not found the exact list of these. The doc mentioned
expected table fields but they do not match stuff like displayName or cn or
uid.
- openid scope has mandatory attributes. How are they mapped to the
default from CAS. I have defined a mapping for those and add them
to cas.authn.oidc.claims.
- Could the issue be related to recent commits
-
https://github.com/apereo/cas/commit/8cd83063c277f7c58a1921953cc1d13cc257a0e9
- Oidc claims filtering
-
https://github.com/apereo/cas/commit/e89bdcab4d877fb3e5ad3b6d5ccf0b96f94275aa
- Window hour checking
As a more general question, how would you setup apereo cas so that:
- Validate from jdbc only and fetch a set of custom attributes - done
- Release all these attributes acting as an oidc or saml2 provider. No
consent, no filtering nor subset release. All attributes plain and simple.
Thanks in advance for your answers,
JM
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/abbe9fca-88ed-47e4-b8dd-a047a9d5e2e8%40apereo.org.
