attributes released vs id

livio dezorzi

unread,

May 27, 2026, 9:43:58 AM (7 days ago) May 27

to CAS Community

Hello,

I'm having a problem with CAS v7.3.6 and a Service Provider using Keycloak and OpenID Connect. I need to publish the attributes in `id_token`. In my JSON service, I declared `supportedResponseTypes` with `code` and `id_token`. But when I log into the application, after decoding the `id_token`, I can't find the attributes like firtname, lastname, email...

However, with a php/apache2 test application and libapache2-mod-auth-openidc which retrieves the attributes in the header, I have all my attributes published.

The JSON services are identical except for the client and secret ID. Where did I go wrong ?

Just so you know, my .well-known/openid-configuration file clearly specifies the supported response types: code, id_token, id_token token, and device_code

Thanks for your leads

livio dezorzi

unread,

May 27, 2026, 11:11:04 AM (7 days ago) May 27

to CAS Community

I found a lead. I used the blog post https://fawnoos.com/2022/08/18/cas66-openid-connect-scopes/ to customize my OpenLDAP attributes as follows in the cas.properties file :

cas.authn.oidc.core.claims-map.email=mailRoutingAddress
cas.authn.oidc.core.claims-map.MemberOf=crnpdcattgroupe
cas.authn.oidc.core.claims-map.firstname=givenName
cas.authn.oidc.core.claims-map.lastname=sn
cas.authn.oidc.core.claims-map.displayname=displayName
cas.authn.oidc.core.claims-map.compteactif=crnpdcattcompteactif
cas.authn.oidc.core.claims-map.fonction=crnpdcattfonctionlibelle
cas.authn.oidc.core.claims-map.secteur=crnpdcattsecteurlibelle
cas.authn.oidc.core.claims-map.service=crnpdcattservicelibelle
as.authn.oidc.core.claims-map.departement=crnpdcattdepartementlibelle
cas.authn.oidc.core.claims-map.direction=crnpdcattdirectionlibelle
cas.authn.oidc.core.claims-map.contrat=employeeType
cas.authn.oidc.core.user-defined-scopes.organisation=fonction,service,departement,direction
cas.authn.oidc.core.user-defined-scopes.openid=sub
cas.authn.oidc.core.user-defined-scopes.profile=uid,firstname,lastname,displayname,compteactif,contrat
cas.authn.oidc.core.user-defined-scopes.MemberOf=MemberOf
cas.authn.oidc.core.user-defined-scopes.ismemberof=MemberOf
cas.authn.oidc.core.user-defined-scopes.memberofargos=MemberOf
cas.authn.oidc.core.user-defined-scopes.memberofedgar=MemberOf
cas.authn.oidc.core.user-defined-scopes.memberofsigport=MemberOf
cas.authn.oidc.discovery.claims=sub,uid,email,firstname,lastname,displayname,compteactif,fonction,secteur,service,departement,direction,contrat,MemberOf,ismemberof,memberofargos,memberofedgar,memberofsigport
cas.authn.oidc.discovery.scopes=sub,openid,profile,email,organisation,MemberOf,memberofargos,memberofedgar,memberofsigport,ismemberof

and my json service :

{
"@class": "org.apereo.cas.services.OidcRegisteredService",
"serviceId": "https://....../iam/realms/SP/broker/oidc-hdf/endpoint",
"name": "SP-v09",
"id": 329738878,
"description": "OpenID Connect service SP-v09",
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ChainingAttributeReleasePolicy",
"policies": [
"java.util.ArrayList",
[
{
"@class": "org.apereo.cas.oidc.claims.OidcProfileScopeAttributeReleasePolicy"
},
{
"@class": "org.apereo.cas.oidc.claims.OidcEmailScopeAttributeReleasePolicy"
}
]
],
"mergingPolicy": "REPLACE",
"principalAttributesRepository": {
"@class": "org.apereo.cas.authentication.principal.ChainingPrincipalAttributesRepository"
},
"consentPolicy": {
"@class": "org.apereo.cas.services.consent.ChainingRegisteredServiceConsentPolicy"
},
"authorizedToReleaseAuthenticationAttributes": true
},
"clientSecret": "xxxxxxxxxxx",
"clientId": "xxxxxxxxxxxxxxxxx",
"bypassApprovalPrompt": true,
"jwtAccessToken": true,
"supportedGrantTypes": [
"java.util.HashSet",
[
"refresh_token",
"client_credentials",
"authorization_code"
]
],
"supportedResponseTypes": [
"java.util.HashSet",
[
"code",
"id_token"
]
],
"scopes": [
"java.util.HashSet",
[
"openid",
"profile",
"email"
]
]

}

It seems the attributes are being lost because if I don't customize the OpenLDAP attributes, I find them correctly in the id_toekn.

"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes": [
"java.util.ArrayList",
[
"uid",
"givenName",
"mailRoutingAddress",
"sn",
"crnpdcattgroupe"
]
]
},

How to use attributes friendly name in json service and configured in cas.properties file ?

Thanks

Ray Bon

unread,

May 27, 2026, 1:54:32 PM (7 days ago) May 27

to cas-...@apereo.org

Livio,

I would suggest not overriding predefined scopes (openid, profile, email). If you map your ldap attribute names to the oidc standards, they will be picked up by those scopes.

For example:

cas.authn.oidc.core.claims-map.family_name=sn

See [1] for spec.

If you need to have lastname as a claim, make a user defined scope with those claims:

cas.authn.oidc.core.user-defined-scopes.names=lastname,firstname,displayname

To get other claims in the payload, like names or MemberOf, include that scope in the 'scopes' HashSet of your service definition.

Ray

[1] https://openid.net/specs/openid-connect-core-1_0.html

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of livio dezorzi <livio....@gmail.com>
Sent: May 27, 2026 07:46
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] Re: attributes released vs id_token

--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/48758c01-21b6-4584-b94f-b8403cc92368n%40apereo.org.

livio dezorzi

unread,

May 28, 2026, 8:48:03 AM (7 days ago) May 28

to CAS Community, Ray Bon

Hi Ray,

Thanks for your suggestion.
I'm no longer overriding the openid, profile, and email scopes.
I've customized a scope named "names" with the attributes lastname, firstname, and displayname previously mapped in cas.properties file to sn, givenName, and displayName as you mentioned.

I configured the "openid" and "names" scopes in the service JSON, but no attribute appear in the id_token.
If I use the class "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy" in my JSON, mapping the attributes "sn", "lastname", etc.... and only the "openid" scope, I find the correctly renamed attributes in the id_token.

it's a mystery.

Livio

livio dezorzi

unread,

11:34 AM (10 hours ago) 11:34 AM

to CAS Community, Ray Bon

Hi Ray,

Is there a maximum length constraint for attributes? I'm trying to display all the values of the mapped attributes, and only the `crnpdcattdepartementlibelle` attribute isn't displaying

cas.authn.oidc.core.claims-map.compteactif=crnpdcattcompteactif
cas.authn.oidc.core.claims-map.fonction=crnpdcattfonctionlibelle
cas.authn.oidc.core.claims-map.secteur=crnpdcattsecteurlibelle
cas.authn.oidc.core.claims-map.service=crnpdcattservicelibelle
as.authn.oidc.core.claims-map.departement=crnpdcattdepartementlibelle
cas.authn.oidc.core.claims-map.direction=crnpdcattdirectionlibelle

I have repeatedly checked my cas.properties configuration and my json service, which are error-free.

This is the only lead I've found, but is it the right one ?

The length of the attribute `crnpdcattdepartementlibelle` is 28 characters and the length of `crnpdcattdirectionlibelle` is 26 characters.

The first one is not displayed, but the second one is. I don't understand anything.

Thank you for your ideas.

Reply all

Reply to author

Forward