Hi John,
did you use the user profile endpoint?
are the user profile values in the endpoint response array not string
在2022年3月19日星期六 UTC+8 02:19:51<John Wagenleitner> 写道:
> Hi Jae,
>
> Thank you very much for your email. That is a good work-around/fix for the
> issue. I removed the `scopes` key in the service definition file completely
> and in the `cas.properties` removed all of the
> `cas.authn.oidc.core.claims-map` entries.
>
> I used the following attribute release policy in my service definition to
> do the mappings (had tried this before, but it doesn't work with the
> `scopes` set):
>
> """
>
> "attributeReleasePolicy" : {
> "@class": "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
> "allowedAttributes": {
> "@class": "java.util.TreeMap",
>
> "mail": "email",
> "cn": "name",
> "sn": "family_name",
> "givenName": "given_name"
> }
> }
>
> """
>
> With those changes (using CAS v6.5.0), now the correct names (email, name,
> family_name, given_name) appear in both the IDToken and userinfo endpoint.
>
> Thanks again,
> John
>
> On Tue, Mar 15, 2022 at 12:03 AM Jae Liu <[email protected]> wrote:
>
>> Hi John,
>>
>> I removed the claims-map in config and following are my
>> attributeReleasePolicy
>>
>> attributeReleasePolicy:
>> {
>> @class: org.apereo.cas.services.ChainingAttributeReleasePolicy
>> policies:
>> [
>> java.util.ArrayList
>> [
>> {
>> @class:
>> org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy
>> principalAttributesRepository:
>> {
>> @class:
>> org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository
>> mergingStrategy: REPLACE
>> ignoreResolvedAttributes: false
>> }
>> order: 0
>> allowedAttributes:
>> [
>> java.util.ArrayList
>> [
>> mail
>> displayName
>> sAMAccountName
>> userPrincipalName
>> ]
>> ]
>> }
>> {
>> @class:
>> org.apereo.cas.services.ReturnMappedAttributeReleasePolicy
>> allowedAttributes:
>> {
>> @class: java.util.TreeMap
>> email: groovy { return attributes[ 'mail'
>> ].get(0) }
>> email_verified: groovy { if(!attributes[ 'mail'
>> ].isEmpty() && attributes[ 'mail' ].get(0).endsWith('@xxxx.com')){
>> return true } else { return false } }
>> name: groovy { return attributes[ 'displayName'
>> ].get(0) }
>> nickname: groovy { return attributes[
>> 'sAMAccountName' ].get(0) }
>> preferred_username: groovy { return attributes[
>> 'userPrincipalName' ].get(0) }
>> }
>> principalAttributesRepository:
>> {
>> @class:
>> org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository
>> mergingStrategy: REPLACE
>> ignoreResolvedAttributes: false
>> }
>> order: 1
>> }
>> ]
>> ]
>> mergingPolicy: REPLACE
>> order: 0
>> }
>>
>> *also removed the scopes*
>>
>> scopes:
>> [
>> java.util.HashSet
>> []
>> ]
>>
>>
>> 在2022年3月9日星期三 UTC+8 23:47:15<John Wagenleitner> 写道:
>>
>>> Hi Jae,
>>>
>>> Thanks for the reply, are you able to share any of your config?
>>>
>>> In my case both the IDToken and the userinfo endpoint contain claims
>>> such as `mail` and `cn`. But the `claims-map` only seems to work for the
>>> userinfo endpoint, which returns both claims `mail` and `email` and `cn`
>>> and `name`, though I would have not expected it to include both the
>>> original CAS attribute (from LDAP such as cn) and the mapped claim (such as
>>> email) and think in versions prior to v6.4 it returned only `email` as a
>>> claim name for that particular value.
>>>
>>> so the attributes in your claims-map do not have value, so the IDToken
>>>> does have value.
>>>
>>>
>>> In my claim-map I'm mapping `cn` to `name`. The IDToken we receive does
>>> include `cn` as a claim. Based on my mapping settings, I would have
>>> expected the claim name to be `name` and not `cn` both in the IDToken and
>>> in the userinfo endpoint and this is how it worked prior to v6.4.
>>>
>>> John
>>>
>>> On Tue, Mar 8, 2022 at 5:55 PM Jae Liu <[email protected]> wrote:
>>>
>>>> I used CAS v6.4 it's ok for me.
>>>>
>>>> I think there something wrong with your configuration. You defined the
>>>> scopes (scopes=openid,profile,emai), CAS will use these as attributes
>>>> release policy, the scopes email will only release attributes email and
>>>> email_verified, profile will release name, given_name. family_name, so the
>>>> attributes in your claims-map do not have value, so the IDToken does have
>>>> value.
>>>>
>>>> 在2022年1月11日星期二 UTC+8 12:28:01<John Wagenleitner> 写道:
>>>>
>>>>> In CAS v6.3 (up to and including v6.3.7.4) we used the
>>>>> `cas.authn.oidc.claims-map` properties to map our LDAP attribute names to
>>>>> the standard claim names. This mapping worked for both the ID Token and
>>>>> the
>>>>> UserInfo (`/profile`) endpoint.
>>>>>
>>>>> Here are the relevant properties we have set:
>>>>>
>>>>> ```
>>>>> cas.authn.oidc.discovery.scopes=openid,profile,email
>>>>> cas.authn.oidc.discovery.claims=sub,name,family_name,given_name,email
>>>>> cas.authn.oidc.core.claims-map.email=mail
>>>>> cas.authn.oidc.core.claims-map.name=cn
>>>>> cas.authn.oidc.core.claims-map.family_name=sn
>>>>> cas.authn.oidc.core.claims-map.given_name=givenName
>>>>> ```
>>>>>
>>>>> This mapping is no longer working in CAS v6.4 (and also tested in the
>>>>> latest v6.4.4.2) for the generated ID Token. Our ID Token claims no
>>>>> longer
>>>>> contain the mapped names but instead contain the LDAP attribute names
>>>>> such
>>>>> as `mail`, `cn`, etc. The UserInfo endpoint does correctly contain the
>>>>> mapped claim names.
>>>>>
>>>>> As a possible workaround, I tried using a service definition that
>>>>> included an `attributeReleasePolicy` using the
>>>>> `ReturnMappedAttributeReleasePolicy` class but that had no affect on the
>>>>> ID
>>>>> Token claim names.
>>>>>
>>>>> I have reviewed all the OIDC settings and didn't spot anything that
>>>>> looks like it would address this issue.
>>>>>
>>>>> Any help/advice would be appreciated,
>>>>> John
>>>>>
>>>>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2f969b31-9389-4d0e-8f0c-6a95572a30d3n%40apereo.org.
