CAS 5.2 - OIDC and attribute release
qla3fa
Hi,
I try to configure OIDC with CAS 5.2. I added module "cas-server-support-oidc" and the config with lines :
# Configuration OIDC
cas.authn.oidc.issuer=https://my-url.com/cas/oidc
cas.authn.oidc.skew=5
cas.authn.oidc.jwksFile=file:/etc/cas/keystore.jwks
cas.authn.oidc.jwksCacheInMinutes=60
cas.authn.oidc.dynamicClientRegistrationMode=PROTECTED
cas.authn.oidc.subjectTypes=public,pairwise
cas.authn.oidc.scopes=openid, profile, email
cas.authn.oidc.claims=sub,name,preferred_username,family_name,given_name,middle_name,given_name,profile,picture,nickname,website,zoneinfo,locale,updated_at,birthdate,email,email_verified,phone_number,phone_number_verified,address
cas.authn.oidc.claimsMap.given_name=givenName
cas.authn.oidc.claimsMap.name=sn
cas.authn.oidc.claimsMap.email=mail
For my App, I configure service :
{
"@class" : "org.apereo.cas.services.OidcRegisteredService",
"clientId": "applicationQLA-testPHP",
"clientSecret": "xxxxxxxxx",
"serviceId" : "^http://localhost:8080/.*",
"bypassApprovalPrompt": true,
"supportedResponseTypes" : [ "java.util.HashSet", [ "code",
"token" ] ],
"name" : "applicationQLAtestPHP",
"scopes" : [ "java.util.HashSet",
[ "openid", "email", "profile" ]
],
"id" : 7,
"evaluationOrder" : 7,
}
Oidc authentication works good but in my application the only attributes I can get are :
sub, auth_time, jti, iss, aud, exp, iat, nbf, amr, state, nonce, at_hash, preferred_username
But I can't get the attributes of email or profile scope...
In logs file I don't have error messages.
What is wrong with my config ?
Thanks for help. Best regards, QLA
Jérôme Steve
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/838f0180-1c48-a196-2672-0981d6d971fb%40gmail.com.
qla3fa
Thanks for your response.
sn and mail are attributes I extract from my LDAP. I use it with CAS services and it works... I configured Oauth2.0 module too and I use and map these attributes with success... So I think it's ok with these attributes. It's only with OIDC services it doesn't work...
Best regards.
QLA.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD6KnbwcvSbwj20pdAq46X7j1EGbAoOp7GH1fO1GcZuU_SqDbQ%40mail.gmail.com.
Jérôme Steve
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ba709981-8ac5-fd63-f3b5-c31ea85ce277%40gmail.com.
qla3fa
I use apache module mod_auth_openidc to my test. My apache conf is :
OIDCProviderMetadataURL
https://my-url.com/cas/oidc/.well-known/openid-configuration
OIDCClientID applicationQLA-testPHP
OIDCClientSecret xxxxxxxxx
#OIDCMetadataDir /var/cache/apache2/mod_auth_openidc/metadata
OIDCScope "openid email profile"
OIDCResponseType "code"
OIDCRemoteUserClaim email
OIDCRedirectURI http://localhost:8080/callback
OIDCCryptoPassphrase xxxxxxxxxxx
If I configure OIDCRemoteUserClaim with 'sub' remote_user variable content is ok. But with email value, apache log an error :
[Tue Jun 09 15:10:13.444122 2020]
[auth_openidc:warn] [pid 11491] [client 10.0.2.2:63823]
oidc_get_remote_user: JSON object did not contain a "email"
string
[Tue Jun 09 15:10:13.444422 2020] [auth_openidc:error] [pid
11491] [client 10.0.2.2:63823] oidc_set_request_user:
OIDCRemoteUserClaimis set to "email", but could not set the
remote user based on the requested claim "email" and the
available claims for the user
[Tue Jun 09 15:10:13.444767 2020] [auth_openidc:error] [pid
11491] [client 10.0.2.2:63823]
oidc_handle_authorization_response: remote user could not be set
Best regards,
QLA.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD6Knbx_VeFBbRYUwrNG8B7gBUEDo3ShYdxdAW13EC-QoNuiLA%40mail.gmail.com.