Re: [cas-user] CAS 5.2 - OIDC and attribute release

2020-06-09 Thread qla3fa 

I use apache module mod_auth_openidc to my test. My apache conf is :

OIDCProviderMetadataURL 
https://my-url.com/cas/oidc/.well-known/openid-configuration

OIDCClientID applicationQLA-testPHP
OIDCClientSecret x
#OIDCMetadataDir /var/cache/apache2/mod_auth_openidc/metadata
OIDCScope "openid email profile"
OIDCResponseType "code"
OIDCRemoteUserClaim email
OIDCRedirectURI http://localhost:8080/callback
OIDCCryptoPassphrase xxx


If I configure OIDCRemoteUserClaim with 'sub' remote_user variable 
content is ok. But with email value, apache log an error :


[Tue Jun 09 15:10:13.444122 2020] [auth_openidc:warn] [pid 11491] 
[client 10.0.2.2:63823] oidc_get_remote_user: JSON object did not 
contain a "email" string
[Tue Jun 09 15:10:13.22 2020] [auth_openidc:error] [pid 11491] 
[client 10.0.2.2:63823] oidc_set_request_user: OIDCRemoteUserClaimis set 
to "email", but could not set the remote user based on the requested 
claim "email" and the available claims for the user
[Tue Jun 09 15:10:13.444767 2020] [auth_openidc:error] [pid 11491] 
[client 10.0.2.2:63823] oidc_handle_authorization_response: remote user 
could not be set


Best regards,

QLA.

Le 09/06/2020 à 09:18, Jérôme Steve a écrit :
So, what is your client OIDC application configuration ? Have you 
configured the scope ?


Le lun. 8 juin 2020 à 18:23, qla3fa > a écrit :


Thanks for your response.

sn and mail are attributes I extract from my LDAP. I use it with
CAS services and it works... I configured Oauth2.0 module too and
I use and map these attributes with success... So I think it's ok
with these attributes. It's only with OIDC services it doesn't work...

Best regards.

QLA.

Le 08/06/2020 à 18:01, Jérôme Steve a écrit :

Hi,

Your OIDC configuration look good.

You map your claims like this :
cas.authn.oidc.claimsMap.name
=sn
cas.authn.oidc.claimsMap.email=mail
Maibe you don't have sn and email in your attribute repository ?



Le lun. 8 juin 2020 à 16:37, qla3fa mailto:qla...@gmail.com>> a écrit :

Hi,

I try to configure OIDC with CAS 5.2. I added module
"cas-server-support-oidc" and the config with lines :

# Configuration OIDC
cas.authn.oidc.issuer=https://my-url.com/cas/oidc
cas.authn.oidc.skew=5
cas.authn.oidc.jwksFile=file:/etc/cas/keystore.jwks
cas.authn.oidc.jwksCacheInMinutes=60
cas.authn.oidc.dynamicClientRegistrationMode=PROTECTED
cas.authn.oidc.subjectTypes=public,pairwise
cas.authn.oidc.scopes=openid, profile, email

cas.authn.oidc.claims=sub,name,preferred_username,family_name,given_name,middle_name,given_name,profile,picture,nickname,website,zoneinfo,locale,updated_at,birthdate,email,email_verified,phone_number,phone_number_verified,address
cas.authn.oidc.claimsMap.given_name=givenName
cas.authn.oidc.claimsMap.name
=sn
cas.authn.oidc.claimsMap.email=mail

For my App, I configure service :

{
  "@class" : "org.apereo.cas.services.OidcRegisteredService",
  "clientId": "applicationQLA-testPHP",
  "clientSecret": "x",
  "serviceId" : "^http://localhost:8080/.*;,
  "bypassApprovalPrompt": true,
  "supportedResponseTypes" : [ "java.util.HashSet", [ "code",
"token" ] ],
  "name" : "applicationQLAtestPHP",
  "scopes" : [ "java.util.HashSet",
    [ "openid", "email", "profile" ]
   ],
  "id" : 7,
  "evaluationOrder" : 7,
}

Oidc authentication works good but in my application the only
attributes I can get are :

sub, auth_time, jti, iss, aud, exp, iat, nbf, amr, state,
nonce, at_hash, preferred_username

But I can't get the attributes of email or profile scope...

In logs file I don't have error messages.

What is wrong with my config ?

Thanks for help.
Best regards,

QLA

-- 
- Website: https://apereo.github.io/cas

- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the
Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to cas-user+unsubscr...@apereo.org
.
To view this discussion on the web visit

https://groups.google.com/a/apereo.org/d/msgid/cas-user/838f0180-1c48-a196-2672-0981d6d971fb%40gmail.com

.

-- 
- Website:

Re: [cas-user] CAS 5.2 - OIDC and attribute release

2020-06-09 Thread Jérôme Steve 
So, what is your client OIDC application configuration ? Have you
configured the scope ?

Le lun. 8 juin 2020 à 18:23, qla3fa  a écrit :

> Thanks for your response.
>
> sn and mail are attributes I extract from my LDAP. I use it with CAS
> services and it works... I configured Oauth2.0 module too and I use and map
> these attributes with success... So I think it's ok with these attributes.
> It's only with OIDC services it doesn't work...
>
> Best regards.
>
> QLA.
> Le 08/06/2020 à 18:01, Jérôme Steve a écrit :
>
> Hi,
>
> Your OIDC configuration look good.
>
> You map your claims like this :
> cas.authn.oidc.claimsMap.name=sn
> cas.authn.oidc.claimsMap.email=mail
> Maibe you don't have sn and email in your attribute repository ?
>
>
>
> Le lun. 8 juin 2020 à 16:37, qla3fa  a écrit :
>
>> Hi,
>>
>> I try to configure OIDC with CAS 5.2. I added module
>> "cas-server-support-oidc" and the config with lines :
>>
>> # Configuration OIDC
>> cas.authn.oidc.issuer=https://my-url.com/cas/oidc
>> cas.authn.oidc.skew=5
>> cas.authn.oidc.jwksFile=file:/etc/cas/keystore.jwks
>> cas.authn.oidc.jwksCacheInMinutes=60
>> cas.authn.oidc.dynamicClientRegistrationMode=PROTECTED
>> cas.authn.oidc.subjectTypes=public,pairwise
>> cas.authn.oidc.scopes=openid, profile, email
>>
>> cas.authn.oidc.claims=sub,name,preferred_username,family_name,given_name,middle_name,given_name,profile,picture,nickname,website,zoneinfo,locale,updated_at,birthdate,email,email_verified,phone_number,phone_number_verified,address
>> cas.authn.oidc.claimsMap.given_name=givenName
>> cas.authn.oidc.claimsMap.name=sn
>> cas.authn.oidc.claimsMap.email=mail
>>
>> For my App, I configure service :
>>
>> {
>>   "@class" : "org.apereo.cas.services.OidcRegisteredService",
>>   "clientId": "applicationQLA-testPHP",
>>   "clientSecret": "x",
>>   "serviceId" : "^http://localhost:8080/.*;,
>>   "bypassApprovalPrompt": true,
>>   "supportedResponseTypes" : [ "java.util.HashSet", [ "code", "token" ] ],
>>   "name" : "applicationQLAtestPHP",
>>   "scopes" : [ "java.util.HashSet",
>> [ "openid", "email", "profile" ]
>>],
>>   "id" : 7,
>>   "evaluationOrder" : 7,
>> }
>>
>> Oidc authentication works good but in my application the only attributes
>> I can get are :
>>
>> sub, auth_time, jti, iss, aud, exp, iat, nbf, amr, state, nonce, at_hash,
>> preferred_username
>>
>> But I can't get the attributes of email or profile scope...
>>
>> In logs file I don't have error messages.
>>
>> What is wrong with my config ?
>>
>> Thanks for help.
>> Best regards,
>>
>> QLA
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/838f0180-1c48-a196-2672-0981d6d971fb%40gmail.com
>> 
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD6KnbwcvSbwj20pdAq46X7j1EGbAoOp7GH1fO1GcZuU_SqDbQ%40mail.gmail.com
> 
> .
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/ba709981-8ac5-fd63-f3b5-c31ea85ce277%40gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS