I am using the oauth2 client-credentials grant type, and am having trouble
figuring out how to add attributes into the generated JWT.
My service definition is:
[
OAuthRegisteredService(
super=AbstractRegisteredService(
serviceId=abcdef,
name=API Test,
theme=null,
informationUrl=null,
privacyUrl=null,
responseType=null,
id=-8936606407628949180,
description=null,
expirationPolicy=DefaultRegisteredServiceExpirationPolicy(
deleteWhenExpired=false,
notifyWhenDeleted=false,
notifyWhenExpired=false,
expirationDate=null
),
acceptableUsagePolicy=DefaultRegisteredServiceAcceptableUsagePolicy(
enabled=true,
messageCode=null,
text=null
),
proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1,
proxyTicketExpirationPolicy=null,
proxyGrantingTicketExpirationPolicy=null,
serviceTicketExpirationPolicy=null,
singleSignOnParticipationPolicy=null,
evaluationOrder=0,
usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@87297e2,
logoutType=BACK_CHANNEL,
environments=[],
attributeReleasePolicy=ReturnAllowedAttributeReleasePolicy(
super=AbstractRegisteredServiceAttributeReleasePolicy(
attributeFilter=null,
principalAttributesRepository=DefaultPrincipalAttributesRepository(),
consentPolicy=DefaultRegisteredServiceConsentPolicy(
enabled=true,
excludedAttributes=null,
includeOnlyAttributes=null,
order=0
),
authorizedToReleaseCredentialPassword=false,
authorizedToReleaseProxyGrantingTicket=false,
excludeDefaultAttributes=false,
authorizedToReleaseAuthenticationAttributes=true,
principalIdAttribute=null,
order=0
),
allowedAttributes=[myName]
),
multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(
multifactorAuthenticationProviders=[],
failureMode=UNDEFINED,
principalAttributeNameTrigger=null,
principalAttributeValueToMatch=null,
bypassEnabled=false,
forceExecution=false,
bypassTrustedDeviceEnabled=false,
bypassPrincipalAttributeName=null,
bypassPrincipalAttributeValue=null,
script=null
),
logo=null,
logoutUrl=null,
redirectUrl=null,
accessStrategy=DefaultRegisteredServiceAccessStrategy(
order=0,
enabled=true,
ssoEnabled=true,
unauthorizedRedirectUrl=null,
delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(
allowedProviders=[],
permitUndefined=true,
exclusive=false
),
requireAllAttributes=true,
requiredAttributes={},
rejectedAttributes={},
caseInsensitive=false
),
publicKey=null,
authenticationPolicy=DefaultRegisteredServiceAuthenticationPolicy(
requiredAuthenticationHandlers=[],
criteria=AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria(
tryAll=false
)
),
properties={
*permissions=DefaultRegisteredServiceProperty(values=[1373037743]),
claims=DefaultRegisteredServiceProperty(values=[1366926713])*,
accessTokenAsJwtSigningKey=DefaultRegisteredServiceProperty(
values=[classpath:/etc/cas/config/cas-private.key]
),
accessTokenAsJwtSigningEnabled=DefaultRegisteredServiceProperty(
values=[true]
),
*myName=DefaultRegisteredServiceProperty(values=[583852201])*
},
contacts=[]
),
clientSecret=def,
clientId=abc,
bypassApprovalPrompt=false,
generateRefreshToken=false,
renewRefreshToken=false,
jwtAccessToken=true,
codeExpirationPolicy=null,
accessTokenExpirationPolicy=null,
refreshTokenExpirationPolicy=null,
deviceTokenExpirationPolicy=null,
supportedGrantTypes=[client_credentials],
supportedResponseTypes=[]
)
]
The jwt token that gets created is:
{
"sub": "abc",
"oauthClientId": "abc",
"roles":[],
"iss": "https://localhost:7001/cas";,
"nonce": "",
"client_id": "abc",
"aud": "abc",
"grant_type": "CLIENT_CREDENTIALS",
"permissions":[],
"scope":[],
"claims":[],
"scopes":[],
"state": "",
"exp": 1628045011,
"iat": 1628016211,
"jti": "AT-2-vjOSaRnTRYfARo-fX-ZVsDB-dLVLjBRz"
}
As a test I'm trying to get a property myName to show up in the jwt token.
I'm ultimately trying to populate the permissions property.
When using other grant types such as password, I'm able add custom
attributes to the jwt token just fine. I'm using REST authentication, so I
can just return custom attributes in the response to CAS's login call.
However, since CAS doesn't make a REST authentication call for
client_credentials, that technique doesn't help here. In this case, I'm
using a RESTful Service Registry
(https://apereo.github.io/cas/6.3.x/services/REST-Service-Management.html)
in case that's relevant.
Thanks for any ideas or insights,
Ken
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f32a0e86-62b4-4273-baed-8e27c5758a21n%40apereo.org.
