I haven't tried v6.4.6, but the same problem does still occur with v6.5.0. On Sat, Mar 5, 2022, 11:22 PM Stef <[email protected]> wrote:
> Hi, > > Do you know if this problem has been solved in 6.4.6 ? > > Stéphane > > Le lun. 31 janv. 2022, 09:22, Rodolphe Prin <[email protected]> a > écrit : > >> Hi, >> I noticed the same behavior. >> Version : 6.4.4.2 >> >> `cas.authn.oidc.core.include-id-token-claims=true` allows to get the >> claims in the token, but with the wrong name. >> >> Rodolphe >> >> >> Le mardi 11 janvier 2022 à 20:01:46 UTC+1, John Wagenleitner a écrit : >> >>> Hi Frédéric, >>> >>> Thanks for the reply. In our case the claims are being included in the >>> ID Token, they just don't have the names we mapped and instead have the >>> names as they come from our attribute store. We are using >>> `respone_type=code` and a `scope=openid`. >>> >>> I had not tried `cas.authn.oidc.core.include-id-token-claims=true` since >>> the docs mentioned that is the default setting. I just tested again with it >>> set to `true` and there is no change, the claims appear in the ID Token but >>> not with the desired names. I also tried with it set to `false` and in that >>> case the claims did not appear in the ID Token. >>> >>> John >>> >>> On Tue, Jan 11, 2022 at 12:57 AM Frédéric Lohier <[email protected]> >>> wrote: >>> >>>> Hello, >>>> >>>> Have you tried to set cas.authn.oidc.core.include-id-token-claims=true >>>> ? >>>> >>>> According to OIDC spec, if you are using response-type=code , the >>>> id_token should not contain the user claims. But, if you are using >>>> response_type=id_token, then the id_token should include the user claims. >>>> According to CAS 6.4 doc, if you set >>>> cas.authn.oidc.core.include-id-token-claims=true , it will force the >>>> release of user claims in the id_token. >>>> However, in my tests with CAS 6.4.4.2, even with >>>> response_type=id_token, user claims are not included in the id_token (tried >>>> to GET an URL like >>>> https://mycasserver.com/cas/oidc/oidcAuthorize?response_type=id_token&client_id=myclient&scope=openid%20profile%20email&redirect_uri=https://serviceredirecturi). >>>> Not a blocker for me for the moment, but if you find a fix, I'm interested. >>>> >>>> Here is the relevant documentation : >>>> https://apereo.github.io/cas/6.4.x/authentication/OIDC-Authentication-Claims.html#configuration >>>> >>>> - cas.authn.oidc.core.include-id-token-claims=true >>>> >>>> As per OpenID Connect Core section 5.4, "The Claims requested by the >>>> profile, email, address, and phone scope values are returned from the >>>> userinfo endpoint", except for response_type=id_token, where they are >>>> returned in the id_token (as there is no access token issued that could be >>>> used to access the userinfo endpoint). The Claims requested by the profile, >>>> email, address, and phone scope values are returned from the userinfo >>>> endpoint when a response_type value is used that results in an access >>>> token being issued. However, when no access token is issued (which is the >>>> case for the response_type value id_token), the resulting Claims are >>>> returned in the ID Token. >>>> >>>> Setting this flag to true will force CAS to include claims in the ID >>>> token regardless of the response type. Note that this setting MUST ONLY be >>>> used as a last resort, to stay compliant with the specification as much as >>>> possible. DO NOT use this setting without due consideration. >>>> >>>> Note that this setting is set to true by default mainly provided to >>>> preserve backward compatibility with previous CAS versions that included >>>> claims into the ID token without considering the response type. The >>>> behavior of this setting may change and it may be removed in future CAS >>>> releases. >>>> >>>> On Tue, Jan 11, 2022 at 5:28 AM John Wagenleitner < >>>> [email protected]> wrote: >>>> >>>>> In CAS v6.3 (up to and including v6.3.7.4) we used the >>>>> `cas.authn.oidc.claims-map` properties to map our LDAP attribute names to >>>>> the standard claim names. This mapping worked for both the ID Token and >>>>> the >>>>> UserInfo (`/profile`) endpoint. >>>>> >>>>> Here are the relevant properties we have set: >>>>> >>>>> ``` >>>>> cas.authn.oidc.discovery.scopes=openid,profile,email >>>>> cas.authn.oidc.discovery.claims=sub,name,family_name,given_name,email >>>>> cas.authn.oidc.core.claims-map.email=mail >>>>> cas.authn.oidc.core.claims-map.name=cn >>>>> cas.authn.oidc.core.claims-map.family_name=sn >>>>> cas.authn.oidc.core.claims-map.given_name=givenName >>>>> ``` >>>>> >>>>> This mapping is no longer working in CAS v6.4 (and also tested in the >>>>> latest v6.4.4.2) for the generated ID Token. Our ID Token claims no longer >>>>> contain the mapped names but instead contain the LDAP attribute names such >>>>> as `mail`, `cn`, etc. The UserInfo endpoint does correctly contain the >>>>> mapped claim names. >>>>> >>>>> As a possible workaround, I tried using a service definition that >>>>> included an `attributeReleasePolicy` using the >>>>> `ReturnMappedAttributeReleasePolicy` class but that had no affect on the >>>>> ID >>>>> Token claim names. >>>>> >>>>> I have reviewed all the OIDC settings and didn't spot anything that >>>>> looks like it would address this issue. >>>>> >>>>> Any help/advice would be appreciated, >>>>> John >>>>> >>>>> -- >>>>> - Website: https://apereo.github.io/cas >>>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>>> - List Guidelines: https://goo.gl/1VRrw7 >>>>> - Contributions: https://goo.gl/mh7qDG >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "CAS Community" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/fdf662f8-e990-4b9a-b22a-57a6c643e0b1n%40apereo.org >>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/fdf662f8-e990-4b9a-b22a-57a6c643e0b1n%40apereo.org?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>>> - Website: https://apereo.github.io/cas >>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>> - List Guidelines: https://goo.gl/1VRrw7 >>>> - Contributions: https://goo.gl/mh7qDG >>>> --- >>>> >>> You received this message because you are subscribed to a topic in the >>>> Google Groups "CAS Community" group. >>>> To unsubscribe from this topic, visit >>>> https://groups.google.com/a/apereo.org/d/topic/cas-user/gqYDgnT2T5o/unsubscribe >>>> . >>>> To unsubscribe from this group and all its topics, send an email to >>>> [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALRGK0qskgHk3fpbRKEqJ1CHZNYHByEJQjFj9%2BSyk%2BBMOr2V8g%40mail.gmail.com >>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALRGK0qskgHk3fpbRKEqJ1CHZNYHByEJQjFj9%2BSyk%2BBMOr2V8g%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/051090c9-8870-4075-8416-3380752f9d86n%40apereo.org >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/051090c9-8870-4075-8416-3380752f9d86n%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to a topic in the > Google Groups "CAS Community" group. > To unsubscribe from this topic, visit > https://groups.google.com/a/apereo.org/d/topic/cas-user/gqYDgnT2T5o/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAENLzaZSxDzKvXzD99ukkb1bKCSskyqm36znAVB5sJSKk1DJbw%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAENLzaZSxDzKvXzD99ukkb1bKCSskyqm36znAVB5sJSKk1DJbw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAON9TV1vWxe3u3hu2bf_5VCxS-LR-Lcv%3Drc__8GkyPueK24CSQ%40mail.gmail.com.
