You need to set the user profile to FLAT. See
https://apereo.github.io/cas/7.3.x/authentication/OAuth-Authentication-UserProfiles.html
.
KR,
Fiisch
On 12/23/25 23:18, 'Jake Turner' via CAS Community wrote:
Hi all,
I'm running CAS 7.3.2 and I'm running into some trouble getting an
external OIDC service to complete a login flow. The external service
is expecting the "email" at the root of the /cas/oidc/profile
response, but it's only returning inside the "attributes" object.
For example, requesting an authorization code grant with scopes
openid, profile, and email and then:
curl --request GET \
--url https://my-cas-server.com/cas/oidc/profile \
--header 'Authorization: Bearer my-access-token'
returns:
{
"sub": "c8345950-15ed-4c55-b7f9-dd7011d6bde0",
"service": "https://my-external-service.com/auth/oidc/callback";,
"auth_time": 1766524745,
"attributes": {
"given_name": "Test",
"family_name": "User",
"picture": "https://mycorp.com/avatar.png";,
"email": "[email protected]"
},
"id": " c8345950-15ed-4c55-b7f9-dd7011d6bde0 ",
"client_id": "my-external-service"
}
I'm using a dynamic JPA service registry with this service defined as
such:
{
"@class": "org.apereo.cas.services.OidcRegisteredService",
"clientId": "my-external-service",
"clientSecret": "my-client-secret",
"serviceId": "https://my-external-service.com/auth/oidc/callback";,
"name": "My External Service",
"id": 1,
"logo": "https://mycorp.com/icon.png";,
"bypassApprovalPrompt": true,
"supportedResponseTypes": [
"java.util.HashSet",
[
"code"
]
],
"supportedGrantTypes": [
"java.util.HashSet",
[
"authorization_code"
]
],
"scopes": [
"java.util.HashSet",
[
"openid",
"profile",
"email"
]
],
"usernameAttributeProvider": {
"@class":
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute": "uuid",
"principalIdAttribute": "uuid"
}
}
I have tried a few different attributeReleasePolicy configurations,
such as "
org.apereo.cas.oidc.claims.OidcEmailScopeAttributeReleasePolicy" or "
org.apereo.cas.services.ChainingAttributeReleasePolicy" with
"org.apereo.cas.oidc.claims.OidcEmailScopeAttributeReleasePolicy" in
the chain, but nothing seems to achieve the desired result.
Confirmed I have the following set in cas.properties:
cas.authn.oidc.id-token.include-id-token-claims=false
cas.authn.oidc.discovery.scopes=openid,email,profile
cas.authn.oidc.discovery.claims=sub,given_name,family_name,email,picture.(truncated
for brevity)
cas.authn.oidc.core.claims-map.email=email
Any assistance is greatly appreciated!
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/da443018-eaa5-499a-91b1-1d9100bcf059n%40apereo.org
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/da443018-eaa5-499a-91b1-1d9100bcf059n%40apereo.org?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f27b7ad1-8b87-4057-b53f-dc5976f1a5d6%40gmail.com.
![https://mycorp.com/avatar.png"](https://mycorp.com/avatar.png"){kind=link}
![https://mycorp.com/icon.png"](https://mycorp.com/icon.png"){kind=link}