CASE 7.3.2: How to filter attributes in an OAuth service?

[jean-baptiste CASsys]

Hello,

I am working on updating our CAS from version 5.3 to version 7.3.2.

CAS V2, CAS V3 and OIDC authentication are working fine, and we are able to choose the attributes to return to the client based on the different services.

However, I am unable to define the attributes to be returned with the OAuth connection method. Each time, I retrieve all the fields defined by "ldap.principal-attribut-list".

In the OAuth service, I am using the class:

"@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",

However, it appears that the following classes are not being used :

 "attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.DenyAllAttributeReleasePolicy"
  }

 "attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy",
    "excludedAttributes": ["java.util.LinkedHashSet", ["cn"]]
  }
  "attributeReleasePolicy" : {
    "@class": "org.apereo.cas.services.ReturnStaticAttributeReleasePolicy",
    "allowedAttributes": {
      "@class": "java.util.LinkedHashMap",
      "permissions": [ "java.util.ArrayList", [ "read", "write", "admin" ] ]
    }

  "attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
    "allowedAttributes" : [ "java.util.ArrayList", [ "cn", "mail", "sn" ] ]
  }
  "attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
    "allowedAttributes" : {
      "@class" : "java.util.TreeMap",
      "eduPersonAffiliation" : "affiliation",
      "groupMembership" : "group"
    }
"attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnLinkedAttributeReleasePolicy",
    "allowedAttributes" : {
      "@class" : "java.util.TreeMap",
      "component" : ["java.util.ArrayList", ["cn", "givenName", "unknown", "firstName"]]
    }
  }
  "attributeReleasePolicy":
  {
    "@class" : "org.apereo.cas.services.DenyAllAttributeReleasePolicy",
  },



The only thing I managed to get working in "attributeReleasePolicy" is the class related to adding attributes via Groovy:

  "attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
    "allowedAttributes" : {
      "@class" : "java.util.TreeMap",
      "uid" : "groovy { return attributes['uid'].get(0) + ' is great' }"
    }
For collecting attributes during LDAP connection, I use the following settings:

  authn:

    policy:

      required-attributes:

        enabled: false

    authentication-attribute-release:

      enabled: false

      only-release: sn,uid, givenName

    attribute-repository:

      core:

        default-attributes-to-release: sn,uid, givenName

    ldap:

      - type: AUTHENTICATED

        ldap-url: ${LDAP_HOST}

        base-dn: "ou=people,dc=univ-cas,dc=fr"

        search-filter: "(uid={user})"

        bind-dn: ${LDAP_USER}

        bind-credential: ${LDAP_PASSWORD}

        dn-format: "uid={user},ou=people,dc=univ-cas,dc=fr"

        principal-attribute-id: uid

        principal-attribute-list:

          - memberOf

          - mail

          - mailQuota

          - sn

          - cn

          - givenName

          - displayName

          - uid

          - mailAlternateAddress

          - personAffiliation

          - pwdChangedTime

          - synchroEdt

          - supannRefId

          - supannEntiteAffectation

          - title

          - supannRoleEntite

          - posteOccupe

    oauth:

      core:

        bypass-approval-prompt: true

    oidc:

      core:

        issuer: "https://server-cas/cas/oidc"

        claims-map:

          uid: uid      

          family_name: sn      

          given_name: givenName

          name: cn    

          preferred_username: displayName

          email: mail"

          groups: memberOf

        user-defined-scopes:

          groups: groups

      id-token:

        include-id-token-claims: false

      discovery:

        scopes: openid, profile, email, groups

        claims:

          - sub

          - given_name

          - family_name

          - name

          - email

          - groups

In addition, we have activated the following dependencies: 

dependencies {

    implementation enforcedPlatform("org.apereo.cas:cas-server-support-bom:${project.'cas.version'}")

    implementation platform(org.springframework.boot.gradle.plugin.SpringBootPlugin.BOM_COORDINATES)

    implementation "org.apereo.cas:cas-server-core-api-configuration-model"

    implementation "org.apereo.cas:cas-server-webapp-init"

    if (appServer == '-tomcat') {

        implementation "org.apereo.cas:cas-server-webapp-init-tomcat"

    }

    developmentOnly "org.springframework.boot:spring-boot-devtools:${project.springBootVersion}"

    implementation "org.apereo.cas:cas-server-support-rest"

    implementation platform("org.apereo.cas:cas-server-support-bom:${project.version}")

    implementation "org.apereo.cas:cas-server-core:${project.version}"

    implementation "org.apereo.cas:cas-server-support-ldap"

    implementation "org.apereo.cas:cas-server-support-ldap-core"

    implementation "org.apereo.cas:cas-server-webapp"

    implementation "org.apereo.cas:cas-server-support-oauth:${project.version}"

    implementation "org.apereo.cas:cas-server-support-oauth-webflow:${project.version}"     /* DIA */

    implementation "org.apereo.cas:cas-server-support-oidc:${project.version}"

    implementation "org.apereo.cas:cas-server-core-authentication-attributes:${project.version}"

    implementation "org.apereo.cas:cas-server-core-services:${project.version}"

    implementation "org.apereo.cas:cas-server-support-git-service-registry:${project.version}"

    implementation "org.apereo.cas:cas-server-support-oidc-core:${project.version}"

    implementation "org.apereo.cas:cas-server-support-generic"

    implementation "org.apereo.cas:cas-server-core-scripting"

    testImplementation "org.springframework.boot:spring-boot-starter-test"

}

How can I filter attributes in an OAuth service?

Thank you in advance.

[Petr Bodnár]

Hello Jean,

according to our own findings with CAS 7.0.x and according to a previous thread called Atribute release policy on Oauth services ( cas 7.1.x ), CAS indeed doesn't seem to support controlling of released attributes for OAuthRegisteredService. I don't remember finding any note about this limitation in the CAS documentation. From what I've casually seen in the CAS code, this is possibly by-design, as all the attributes releasing and filtering logic seems to be implemented just "one level up", i.e. for OidcRegisteredService. It is interesting that you write that you managed to make it somehow work with the ReturnMappedAttributeReleasePolicy though.

That said, you can try to use OidcRegisteredService from the OpenID Connect Authentication module instead, even if you don't plan to use all the OIDC stuff as scopes etc. Note that you can still use CAS's OAuth endpoints (/oauth2.0 instead of /oidc) for such registered service if needed - all should be "backwards compatible".

Best regards

Petr