Hi all, I'm running CAS 7.3.2 and I'm running into some trouble getting an external OIDC service to complete a login flow. The external service is expecting the "email" at the root of the /cas/oidc/profile response, but it's only returning inside the "attributes" object.
For example, requesting an authorization code grant with scopes openid, profile, and email and then: curl --request GET \ --url https://my-cas-server.com/cas/oidc/profile \ --header 'Authorization: Bearer my-access-token' returns: { "sub": "c8345950-15ed-4c55-b7f9-dd7011d6bde0", "service": "https://my-external-service.com/auth/oidc/callback";, "auth_time": 1766524745, "attributes": { "given_name": "Test", "family_name": "User", "picture": "https://mycorp.com/avatar.png";, "email": "[email protected]" }, "id": " c8345950-15ed-4c55-b7f9-dd7011d6bde0 ", "client_id": "my-external-service" } I'm using a dynamic JPA service registry with this service defined as such: { "@class": "org.apereo.cas.services.OidcRegisteredService", "clientId": "my-external-service", "clientSecret": "my-client-secret", "serviceId": "https://my-external-service.com/auth/oidc/callback";, "name": "My External Service", "id": 1, "logo": "https://mycorp.com/icon.png";, "bypassApprovalPrompt": true, "supportedResponseTypes": [ "java.util.HashSet", [ "code" ] ], "supportedGrantTypes": [ "java.util.HashSet", [ "authorization_code" ] ], "scopes": [ "java.util.HashSet", [ "openid", "profile", "email" ] ], "usernameAttributeProvider": { "@class": "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", "usernameAttribute": "uuid", "principalIdAttribute": "uuid" } } I have tried a few different attributeReleasePolicy configurations, such as " org.apereo.cas.oidc.claims.OidcEmailScopeAttributeReleasePolicy" or " org.apereo.cas.services.ChainingAttributeReleasePolicy" with "org.apereo.cas.oidc.claims.OidcEmailScopeAttributeReleasePolicy" in the chain, but nothing seems to achieve the desired result. Confirmed I have the following set in cas.properties: cas.authn.oidc.id-token.include-id-token-claims=false cas.authn.oidc.discovery.scopes=openid,email,profile cas.authn.oidc.discovery.claims=sub,given_name,family_name,email,picture.(truncated for brevity) cas.authn.oidc.core.claims-map.email=email Any assistance is greatly appreciated! -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/da443018-eaa5-499a-91b1-1d9100bcf059n%40apereo.org.
![https://mycorp.com/avatar.png"](https://mycorp.com/avatar.png"){kind=link}
![https://mycorp.com/icon.png"](https://mycorp.com/icon.png"){kind=link}