Hi there, I am using CAS 6.4.4, OIDC flow with custom scope and attributes
This is what I expected to see: if authHandler puts in attributes (mapped to claims) required by the scope, access token introspection will show the token has that scope, otherwise, it will not show the scope. For instance, a client requests readOrders and wirteOrders scope, and the app does support both, But the authHandler may determine that the login user can only have readOrders permission but not writeOrders permission, and therefore, does not set the attributes required for writeOrders. Such an access token obtained as a result of OIDC should have readOrders but not writeOrders scope. But in reality, my token always show readOrders both AND writeOrders scopes, even if the attribute release for writeOrders scope is null (and thus not released). Did I misunderstand scope/claim/attributes in some way? Thanks, Yan cas.authn.oidc.discovery.scopes=openid,email,profile,readOrders,writeOrders cas.authn.oidc.core.userDefinedScopes.readOrders=readOrders cas.authn.oidc.core.userDefinedScopes.writeOrders=writeOrders cas.authn.oidc.discovery.claims=sub,name,preferred_username,family_name, \ given_name,middle_name,profile, \ picture,nickname,website,zoneinfo,locale,updated_at,birthdate, \ email,email_verified,phone_number,phone_number_verified,address, \ readOrders,writeOrders cas.authn.oidc.core.claimsMap.readOrders=readOrders cas.authn.oidc.core.claimsMap.writeOrders=writeOrders And the authHandler sets attributes public class MyAuthenticationHandler extends AbstractUsernamePasswordAuthenticationHandler { if (doesNotHaveWritePermission(...) { attributes.put("readOrders", List.of("true")); } else { attributes.put("readOrders", List.of("true")); attributes.put("writeOrders", List.of("true")); } principal = this.principalFactory.createPrincipal(user.getLoginName(), attributes); return createHandlerResult(credential, principal); == END == -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2a632b6f-3c49-4acc-a634-974ab103f32en%40apereo.org.