cas6, scope exists even if attribute not released?
49 views
Skip to first unread message
Yan Zhou
Feb 4, 2022, 10:25:54 AM2/4/22
to CAS Community
Hi there,
I am using CAS 6.4.4, OIDC flow with custom scope and attributes
This is what I expected to see: if authHandler puts in attributes (mapped to claims) required by the scope, access token introspection will show the token has that scope, otherwise, it will not show the scope.
For instance, a client requests readOrders and wirteOrders scope, and the app does support both, But the authHandler may determine that the login user can only have readOrders permission but not writeOrders permission, and therefore, does not set the attributes required for writeOrders.
Such an access token obtained as a result of OIDC should have readOrders but not writeOrders scope. But in reality, my token always show readOrders both AND writeOrders scopes, even if the attribute release for writeOrders scope is null (and thus not released).
Did I misunderstand scope/claim/attributes in some way?
Thanks,
Yan
cas.authn.oidc.discovery.scopes=openid,email,profile,readOrders,writeOrders
cas.authn.oidc.core.userDefinedScopes.readOrders=readOrders
cas.authn.oidc.core.userDefinedScopes.writeOrders=writeOrders
cas.authn.oidc.discovery.claims=sub,name,preferred_username,family_name, \
given_name,middle_name,profile, \
picture,nickname,website,zoneinfo,locale,updated_at,birthdate, \
email,email_verified,phone_number,phone_number_verified,address, \
readOrders,writeOrders
cas.authn.oidc.core.claimsMap.readOrders=readOrders
cas.authn.oidc.core.claimsMap.writeOrders=writeOrders
cas.authn.oidc.core.userDefinedScopes.readOrders=readOrders
cas.authn.oidc.core.userDefinedScopes.writeOrders=writeOrders
cas.authn.oidc.discovery.claims=sub,name,preferred_username,family_name, \
given_name,middle_name,profile, \
picture,nickname,website,zoneinfo,locale,updated_at,birthdate, \
email,email_verified,phone_number,phone_number_verified,address, \
readOrders,writeOrders
cas.authn.oidc.core.claimsMap.readOrders=readOrders
cas.authn.oidc.core.claimsMap.writeOrders=writeOrders
And the authHandler sets attributes
public class MyAuthenticationHandler extends AbstractUsernamePasswordAuthenticationHandler {
if (doesNotHaveWritePermission(...) {
attributes.put("readOrders", List.of("true"));
} else {
attributes.put("readOrders", List.of("true"));
attributes.put("writeOrders", List.of("true"));
}
principal = this.principalFactory.createPrincipal(user.getLoginName(), attributes);
return createHandlerResult(credential, principal);
attributes.put("readOrders", List.of("true"));
} else {
attributes.put("readOrders", List.of("true"));
attributes.put("writeOrders", List.of("true"));
}
principal = this.principalFactory.createPrincipal(user.getLoginName(), attributes);
return createHandlerResult(credential, principal);
== END ==
Reply all
Reply to author
Forward
0 new messages