Hi, Do you know if this problem has been solved in 6.4.6 ?
Stéphane Le lun. 31 janv. 2022, 09:22, Rodolphe Prin <[email protected]> a écrit : > Hi, > I noticed the same behavior. > Version : 6.4.4.2 > > `cas.authn.oidc.core.include-id-token-claims=true` allows to get the > claims in the token, but with the wrong name. > > Rodolphe > > > Le mardi 11 janvier 2022 à 20:01:46 UTC+1, John Wagenleitner a écrit : > >> Hi Frédéric, >> >> Thanks for the reply. In our case the claims are being included in the ID >> Token, they just don't have the names we mapped and instead have the names >> as they come from our attribute store. We are using `respone_type=code` and >> a `scope=openid`. >> >> I had not tried `cas.authn.oidc.core.include-id-token-claims=true` since >> the docs mentioned that is the default setting. I just tested again with it >> set to `true` and there is no change, the claims appear in the ID Token but >> not with the desired names. I also tried with it set to `false` and in that >> case the claims did not appear in the ID Token. >> >> John >> >> On Tue, Jan 11, 2022 at 12:57 AM Frédéric Lohier <[email protected]> >> wrote: >> >>> Hello, >>> >>> Have you tried to set cas.authn.oidc.core.include-id-token-claims=true ? >>> >>> According to OIDC spec, if you are using response-type=code , the >>> id_token should not contain the user claims. But, if you are using >>> response_type=id_token, then the id_token should include the user claims. >>> According to CAS 6.4 doc, if you set >>> cas.authn.oidc.core.include-id-token-claims=true , it will force the >>> release of user claims in the id_token. >>> However, in my tests with CAS 6.4.4.2, even with response_type=id_token, >>> user claims are not included in the id_token (tried to GET an URL like >>> https://mycasserver.com/cas/oidc/oidcAuthorize?response_type=id_token&client_id=myclient&scope=openid%20profile%20email&redirect_uri=https://serviceredirecturi). >>> Not a blocker for me for the moment, but if you find a fix, I'm interested. >>> >>> Here is the relevant documentation : >>> https://apereo.github.io/cas/6.4.x/authentication/OIDC-Authentication-Claims.html#configuration >>> >>> - cas.authn.oidc.core.include-id-token-claims=true >>> >>> As per OpenID Connect Core section 5.4, "The Claims requested by the >>> profile, email, address, and phone scope values are returned from the >>> userinfo endpoint", except for response_type=id_token, where they are >>> returned in the id_token (as there is no access token issued that could be >>> used to access the userinfo endpoint). The Claims requested by the profile, >>> email, address, and phone scope values are returned from the userinfo >>> endpoint when a response_type value is used that results in an access >>> token being issued. However, when no access token is issued (which is the >>> case for the response_type value id_token), the resulting Claims are >>> returned in the ID Token. >>> >>> Setting this flag to true will force CAS to include claims in the ID >>> token regardless of the response type. Note that this setting MUST ONLY be >>> used as a last resort, to stay compliant with the specification as much as >>> possible. DO NOT use this setting without due consideration. >>> >>> Note that this setting is set to true by default mainly provided to >>> preserve backward compatibility with previous CAS versions that included >>> claims into the ID token without considering the response type. The >>> behavior of this setting may change and it may be removed in future CAS >>> releases. >>> >>> On Tue, Jan 11, 2022 at 5:28 AM John Wagenleitner < >>> [email protected]> wrote: >>> >>>> In CAS v6.3 (up to and including v6.3.7.4) we used the >>>> `cas.authn.oidc.claims-map` properties to map our LDAP attribute names to >>>> the standard claim names. This mapping worked for both the ID Token and the >>>> UserInfo (`/profile`) endpoint. >>>> >>>> Here are the relevant properties we have set: >>>> >>>> ``` >>>> cas.authn.oidc.discovery.scopes=openid,profile,email >>>> cas.authn.oidc.discovery.claims=sub,name,family_name,given_name,email >>>> cas.authn.oidc.core.claims-map.email=mail >>>> cas.authn.oidc.core.claims-map.name=cn >>>> cas.authn.oidc.core.claims-map.family_name=sn >>>> cas.authn.oidc.core.claims-map.given_name=givenName >>>> ``` >>>> >>>> This mapping is no longer working in CAS v6.4 (and also tested in the >>>> latest v6.4.4.2) for the generated ID Token. Our ID Token claims no longer >>>> contain the mapped names but instead contain the LDAP attribute names such >>>> as `mail`, `cn`, etc. The UserInfo endpoint does correctly contain the >>>> mapped claim names. >>>> >>>> As a possible workaround, I tried using a service definition that >>>> included an `attributeReleasePolicy` using the >>>> `ReturnMappedAttributeReleasePolicy` class but that had no affect on the ID >>>> Token claim names. >>>> >>>> I have reviewed all the OIDC settings and didn't spot anything that >>>> looks like it would address this issue. >>>> >>>> Any help/advice would be appreciated, >>>> John >>>> >>>> -- >>>> - Website: https://apereo.github.io/cas >>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>> - List Guidelines: https://goo.gl/1VRrw7 >>>> - Contributions: https://goo.gl/mh7qDG >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "CAS Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/fdf662f8-e990-4b9a-b22a-57a6c643e0b1n%40apereo.org >>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/fdf662f8-e990-4b9a-b22a-57a6c643e0b1n%40apereo.org?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> >> You received this message because you are subscribed to a topic in the >>> Google Groups "CAS Community" group. >>> To unsubscribe from this topic, visit >>> https://groups.google.com/a/apereo.org/d/topic/cas-user/gqYDgnT2T5o/unsubscribe >>> . >>> To unsubscribe from this group and all its topics, send an email to >>> [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALRGK0qskgHk3fpbRKEqJ1CHZNYHByEJQjFj9%2BSyk%2BBMOr2V8g%40mail.gmail.com >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALRGK0qskgHk3fpbRKEqJ1CHZNYHByEJQjFj9%2BSyk%2BBMOr2V8g%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/051090c9-8870-4075-8416-3380752f9d86n%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/051090c9-8870-4075-8416-3380752f9d86n%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAENLzaZSxDzKvXzD99ukkb1bKCSskyqm36znAVB5sJSKk1DJbw%40mail.gmail.com.
