[cas-user] cas6, scope exists even if attribute not released?

Fri, 04 Feb 2022 07:25:55 -0800 

Hi there,

I am using CAS 6.4.4, OIDC flow with custom scope and attributes

This is what I expected to see:  if authHandler puts in attributes (mapped 
to claims) required by the scope, access token introspection will show the 
token has that scope, otherwise, it will not show the scope.

For instance, a client requests readOrders and wirteOrders scope, and the 
app does support both, But the authHandler may determine that the login 
user can only have readOrders permission but not writeOrders permission, 
and therefore, does not set the attributes required for writeOrders. 

Such an access token obtained as a result of OIDC should have readOrders 
but not writeOrders scope.  But in reality, my token always show  
readOrders both AND writeOrders scopes, even if the attribute release for 
writeOrders scope is null (and thus not released).

Did I misunderstand scope/claim/attributes in some way?

Thanks,
Yan

cas.authn.oidc.discovery.scopes=openid,email,profile,readOrders,writeOrders
cas.authn.oidc.core.userDefinedScopes.readOrders=readOrders
cas.authn.oidc.core.userDefinedScopes.writeOrders=writeOrders

cas.authn.oidc.discovery.claims=sub,name,preferred_username,family_name, \
    given_name,middle_name,profile, \
    picture,nickname,website,zoneinfo,locale,updated_at,birthdate, \
    email,email_verified,phone_number,phone_number_verified,address, \
    readOrders,writeOrders

cas.authn.oidc.core.claimsMap.readOrders=readOrders
cas.authn.oidc.core.claimsMap.writeOrders=writeOrders

And the authHandler sets attributes

public class MyAuthenticationHandler extends 
AbstractUsernamePasswordAuthenticationHandler {

            if (doesNotHaveWritePermission(...) {
                    attributes.put("readOrders", List.of("true"));
            } else {
                    attributes.put("readOrders", List.of("true"));
                    attributes.put("writeOrders", List.of("true"));
            }
            
            principal = 
this.principalFactory.createPrincipal(user.getLoginName(), attributes);
            return createHandlerResult(credential, principal);

== END ==

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2a632b6f-3c49-4acc-a634-974ab103f32en%40apereo.org.

Reply via email to