Hi, I noticed the same behavior. Version : 6.4.4.2 `cas.authn.oidc.core.include-id-token-claims=true` allows to get the claims in the token, but with the wrong name.
Rodolphe Le mardi 11 janvier 2022 à 20:01:46 UTC+1, John Wagenleitner a écrit : > Hi Frédéric, > > Thanks for the reply. In our case the claims are being included in the ID > Token, they just don't have the names we mapped and instead have the names > as they come from our attribute store. We are using `respone_type=code` and > a `scope=openid`. > > I had not tried `cas.authn.oidc.core.include-id-token-claims=true` since > the docs mentioned that is the default setting. I just tested again with it > set to `true` and there is no change, the claims appear in the ID Token but > not with the desired names. I also tried with it set to `false` and in that > case the claims did not appear in the ID Token. > > John > > On Tue, Jan 11, 2022 at 12:57 AM Frédéric Lohier <[email protected]> > wrote: > >> Hello, >> >> Have you tried to set cas.authn.oidc.core.include-id-token-claims=true ? >> >> According to OIDC spec, if you are using response-type=code , the >> id_token should not contain the user claims. But, if you are using >> response_type=id_token, then the id_token should include the user claims. >> According to CAS 6.4 doc, if you set >> cas.authn.oidc.core.include-id-token-claims=true , it will force the >> release of user claims in the id_token. >> However, in my tests with CAS 6.4.4.2, even with response_type=id_token, >> user claims are not included in the id_token (tried to GET an URL like >> https://mycasserver.com/cas/oidc/oidcAuthorize?response_type=id_token&client_id=myclient&scope=openid%20profile%20email&redirect_uri=https://serviceredirecturi). >> >> Not a blocker for me for the moment, but if you find a fix, I'm interested. >> >> Here is the relevant documentation : >> https://apereo.github.io/cas/6.4.x/authentication/OIDC-Authentication-Claims.html#configuration >> >> - cas.authn.oidc.core.include-id-token-claims=true >> >> As per OpenID Connect Core section 5.4, "The Claims requested by the >> profile, email, address, and phone scope values are returned from the >> userinfo endpoint", except for response_type=id_token, where they are >> returned in the id_token (as there is no access token issued that could be >> used to access the userinfo endpoint). The Claims requested by the profile, >> email, address, and phone scope values are returned from the userinfo >> endpoint when a response_type value is used that results in an access >> token being issued. However, when no access token is issued (which is the >> case for the response_type value id_token), the resulting Claims are >> returned in the ID Token. >> >> Setting this flag to true will force CAS to include claims in the ID >> token regardless of the response type. Note that this setting MUST ONLY be >> used as a last resort, to stay compliant with the specification as much as >> possible. DO NOT use this setting without due consideration. >> >> Note that this setting is set to true by default mainly provided to >> preserve backward compatibility with previous CAS versions that included >> claims into the ID token without considering the response type. The >> behavior of this setting may change and it may be removed in future CAS >> releases. >> >> On Tue, Jan 11, 2022 at 5:28 AM John Wagenleitner < >> [email protected]> wrote: >> >>> In CAS v6.3 (up to and including v6.3.7.4) we used the >>> `cas.authn.oidc.claims-map` properties to map our LDAP attribute names to >>> the standard claim names. This mapping worked for both the ID Token and the >>> UserInfo (`/profile`) endpoint. >>> >>> Here are the relevant properties we have set: >>> >>> ``` >>> cas.authn.oidc.discovery.scopes=openid,profile,email >>> cas.authn.oidc.discovery.claims=sub,name,family_name,given_name,email >>> cas.authn.oidc.core.claims-map.email=mail >>> cas.authn.oidc.core.claims-map.name=cn >>> cas.authn.oidc.core.claims-map.family_name=sn >>> cas.authn.oidc.core.claims-map.given_name=givenName >>> ``` >>> >>> This mapping is no longer working in CAS v6.4 (and also tested in the >>> latest v6.4.4.2) for the generated ID Token. Our ID Token claims no longer >>> contain the mapped names but instead contain the LDAP attribute names such >>> as `mail`, `cn`, etc. The UserInfo endpoint does correctly contain the >>> mapped claim names. >>> >>> As a possible workaround, I tried using a service definition that >>> included an `attributeReleasePolicy` using the >>> `ReturnMappedAttributeReleasePolicy` class but that had no affect on the ID >>> Token claim names. >>> >>> I have reviewed all the OIDC settings and didn't spot anything that >>> looks like it would address this issue. >>> >>> Any help/advice would be appreciated, >>> John >>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/fdf662f8-e990-4b9a-b22a-57a6c643e0b1n%40apereo.org >>> >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/fdf662f8-e990-4b9a-b22a-57a6c643e0b1n%40apereo.org?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> > You received this message because you are subscribed to a topic in the >> Google Groups "CAS Community" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/a/apereo.org/d/topic/cas-user/gqYDgnT2T5o/unsubscribe >> . >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALRGK0qskgHk3fpbRKEqJ1CHZNYHByEJQjFj9%2BSyk%2BBMOr2V8g%40mail.gmail.com >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALRGK0qskgHk3fpbRKEqJ1CHZNYHByEJQjFj9%2BSyk%2BBMOr2V8g%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/051090c9-8870-4075-8416-3380752f9d86n%40apereo.org.
