Hello,
I am working on updating our CAS from version 5.3 to version 7.3.2.
CAS V2, CAS V3 and OIDC authentication are working fine, and we are able to
choose the attributes to return to the client based on the different
services.
However, I am unable to define the attributes to be returned with the OAuth
connection method. Each time, I retrieve all the fields defined by
"ldap.principal-attribut-list".
In the OAuth service, I am using the class:
"@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
However, it appears that the following classes are not being used :
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.DenyAllAttributeReleasePolicy"
}
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy",
"excludedAttributes": ["java.util.LinkedHashSet", ["cn"]]
}
"attributeReleasePolicy" : {
"@class": "org.apereo.cas.services.ReturnStaticAttributeReleasePolicy",
"allowedAttributes": {
"@class": "java.util.LinkedHashMap",
"permissions": [ "java.util.ArrayList", [ "read", "write", "admin" ] ]
}
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "cn", "mail", "sn" ] ]
}
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"eduPersonAffiliation" : "affiliation",
"groupMembership" : "group"
}
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnLinkedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"component" : ["java.util.ArrayList", ["cn", "givenName",
"unknown", "firstName"]]
}
}
"attributeReleasePolicy": { "@class" :
"org.apereo.cas.services.DenyAllAttributeReleasePolicy", },
The only thing I managed to get working in "attributeReleasePolicy" is
the class related to adding attributes via Groovy:
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"uid" : "groovy { return attributes['uid'].get(0) + ' is great' }"
}
For collecting attributes during LDAP connection, I use the following settings:
authn:
policy:
required-attributes:
enabled: false
authentication-attribute-release:
enabled: false
only-release: sn,uid, givenName
attribute-repository:
core:
default-attributes-to-release: sn,uid, givenName
ldap:
- type: AUTHENTICATED
ldap-url: ${LDAP_HOST}
base-dn: "ou=people,dc=univ-cas,dc=fr"
search-filter: "(uid={user})"
bind-dn: ${LDAP_USER}
bind-credential: ${LDAP_PASSWORD}
dn-format: "uid={user},ou=people,dc=univ-cas,dc=fr"
principal-attribute-id: uid
principal-attribute-list:
- memberOf
- mail
- mailQuota
- sn
- cn
- givenName
- displayName
- uid
- mailAlternateAddress
- personAffiliation
- pwdChangedTime
- synchroEdt
- supannRefId
- supannEntiteAffectation
- title
- supannRoleEntite
- posteOccupe
oauth:
core:
bypass-approval-prompt: true
oidc:
core:
issuer: "https://server-cas/cas/oidc";
claims-map:
uid: uid
family_name: sn
given_name: givenName
name: cn
preferred_username: displayName
email: mail"
groups: memberOf
user-defined-scopes:
groups: groups
id-token:
include-id-token-claims: false
discovery:
scopes: openid, profile, email, groups
claims:
- sub
- given_name
- family_name
- name
- email
- groups
In addition, we have activated the following dependencies:
dependencies {
implementation enforcedPlatform("org.apereo.cas:cas-server-support-bom:
${project.'cas.version'}")
implementation platform(
org.springframework.boot.gradle.plugin.SpringBootPlugin.BOM_COORDINATES)
implementation "org.apereo.cas:cas-server-core-api-configuration-model"
implementation "org.apereo.cas:cas-server-webapp-init"
if (appServer == '-tomcat') {
implementation "org.apereo.cas:cas-server-webapp-init-tomcat"
}
developmentOnly "org.springframework.boot:spring-boot-devtools:${
project.springBootVersion}"
implementation "org.apereo.cas:cas-server-support-rest"
implementation platform("org.apereo.cas:cas-server-support-bom:${
project.version}")
implementation "org.apereo.cas:cas-server-core:${project.version}"
implementation "org.apereo.cas:cas-server-support-ldap"
implementation "org.apereo.cas:cas-server-support-ldap-core"
implementation "org.apereo.cas:cas-server-webapp"
implementation "org.apereo.cas:cas-server-support-oauth:${
project.version}"
implementation "org.apereo.cas:cas-server-support-oauth-webflow:${
project.version}" /* DIA */
implementation "org.apereo.cas:cas-server-support-oidc:${project.version
}"
implementation
"org.apereo.cas:cas-server-core-authentication-attributes:${project.version}
"
implementation "org.apereo.cas:cas-server-core-services:${
project.version}"
implementation "org.apereo.cas:cas-server-support-git-service-registry:
${project.version}"
implementation "org.apereo.cas:cas-server-support-oidc-core:${
project.version}"
implementation "org.apereo.cas:cas-server-support-generic"
implementation "org.apereo.cas:cas-server-core-scripting"
testImplementation "org.springframework.boot:spring-boot-starter-test"
}
How can I filter attributes in an OAuth service?
Thank you in advance.
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BauL9r%3DpUD_tUc1QmmpFO%2Boiu3tHh-pf8p4u4WtKNsOmNvKtg%40mail.gmail.com.
