Bug with OpenID Connect custom claims and custom scopes
38 views
Skip to first unread message
Olivier Lemasle
Sep 9, 2019, 6:36:26 AM9/9/19
to CAS Developer
Hi,
I'm using CAS 6.1.0-RC5 and I found 2 issues regarding OpenID Connect claims releasing. I'd like a confirmation before making a PR for that.
1) I've created a custom scope with
cas.authn.oidc.userDefinedScopes.groups=groups
(a custom scope named "groups", with a claim "groups")
The
attribute "groups" is correctly populated, and CAS asked the consent
for scope "groups"; however, it did not release the claim.
After
debugging, I found that the issue was here:
https://github.com/apereo/cas/blob/991991fae/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/profile/OidcProfileScopeToAttributesFilter.java#L138
Actually, variable "scopes" contained "groups", but "attributeReleasePolicies" contained "custom".
I could change getScopeType() to getScopeName() here, however it was a recent change from PR https://github.com/apereo/cas/pull/3916, so I guess there was a reason for that...
2) I've created a claim mapping :
cas.authn.oidc.claimsMap.email=mail
(mapping claim "email" to my attribute "mail")
The attribute "mail" is resolved, then the claim "email" is created, mapped to "mail".
However, when I debug "BaseOidcScopeAttributeReleasePolicy", I find that my resolved attribute is "email" (it has already been mapped).
Then, in function "mapClaimToAttribute", no value is found for my attribute, because it looks for an attribute named "mail".
I suppose it could be a recent regression from commit 1f4e968fa0.
Regards
Reply all
Reply to author
Forward
0 new messages