OIDC JWT access token attributes missing after migration to v. 6.6.15.2

[Udo Einspanier]

Hi everyone,

we are using CAS as OIDC server and return the accessToken as JWT in the authentication response. We just tried to upgrade from 6.6.2 to 6.6.15.2.

But now all the CAS authentication-related attributes that were previously part of the JWT access token are missing. and only the attributes returned during attribute resolution are still there. E.g. these attributes are now missing:

{
  "surrogateUser": "yyy",
  "longTermAuthenticationRequestTokenUsed": false,
  "surrogateEnabled": "true",
  "isFromNewLogin": true,
  "authenticationDate": "2024-07-29T12:44:57.359913Z",
  "surrogatePrincipal": "xxx",
  "successfulAuthenticationHandlers": "QueryDatabaseAuthenticationHandler",
   "credentialType": "SurrogateUsernamePasswordCredential",
  "authenticationMethod": "QueryDatabaseAuthenticationHandler",
  ...
}

From these, we require the surrogate* attributes.

Is it the intended behavior that these attributes are missing now? Is there any configuration setting to get them back into the JWT access token?

Thanks,

Udo

[Jorge Bastida Cano]

Same problem here. This does not happen to us with version 6.6.15.1.
any solution for 6.6.15.2?

[Jorge Bastida Cano]

hello, I'm still stuck on this. any ideas?

[Udo Einspanier]

Same problem here. Unfortunately, I have not found a solution yet. Maybe you could create a your own Groovy attribute resolver and release these as other attributes. But I have not tried it any workarounds yet. Still hoping for an easier solution.

[Udo Einspanier]

Hi,

just wanted to check if anyone has updates on this issue. Has it been addressed in newer versions? Or is it no longer possible to get the surrogate authentication attributes into the JWT via configuration?

Best regards,

Udo

[Stef]

Does your app request openid scope ?

Your problem looks related to this fix
https://apereo.github.io/2024/06/26/oidc-vuln/

--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c668dd93-9e94-4ecf-8533-ef188ffdd7c8n%40apereo.org.

[Udo Einspanier]

Hi Stef,

thanks a lot for the reference. Yes, the app requests openid scope, so indeed it could be related. Do you know if there is some documentation how to release the surrogate attributes in the JWT again? Otherwise, I will check the code changes.

Best regards,

Udo

[Stef]

Have you tried to explicitly release these attributes in your service definition ?

To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/57d80559-a171-443e-bbbb-09c34ace03abn%40apereo.org.

[Jonathon Taylor]

I believe this was a security-related change with the latest 6.6.  For the 'non-standard' attributes that aren't already part of the OIDC spec you will need to do something like the example below.  You can add that in addition to the scope releases. 

"attributeReleasePolicy": { "@class": "org.apereo.cas.oidc.claims.OidcScopeFreeAttributeReleasePolicy", "allowedAttributes" : [ "java.util.ArrayList", [ "surrogateUser", "surrogatePrincipal", "surrogateEnabled" ] ] },


To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAENLzab5Sw%3DebVzypX5_h7v7vFO79gGUpPbZAj7pZDS3y5V-Rw%40mail.gmail.com.

--

Jonathon Taylor (he/him)

Information Security Office

jona...@berkeley.edu

[Udo Einspanier]

Thanks a lot for the feedback! I will try it out asap.