[cas-user] CAS 6.2.1 OpenID Connect OP attribute release issues

[Nikolas Stylianides]

Hi there. 

I have manged to setup the OpenID Connect protocol. 

The issue i am facing is in the last steps where the Attributes should be released to the service but they are not. 

I am getting on the logs of CAS the following:  WARN [org.apereo.cas.authentication.attribute.PrincipalAttributeRepositoryFetcher] - <No person records were fetched from attribute repositories for ... >

Any advice? 

My service has been defined as follows: 

Service is Moodle

{
  "@class" : "org.apereo.cas.services.OidcRegisteredService",
  "serviceId" : "https://myservice.domain/admin/oauth2callback.php",
  "name" : "oidc",
  "id" : 102,
  "clientId": "...",
  "clientSecret": "...",
  "scopes": [ "java.util.HashSet",
    [ "openid", "profile", "email", "address", "phone", "offline_access", "displayName" ]
  ],
  "supportedGrantTypes":[ "java.util.HashSet",
    ["AUTHORIZATION_CODE","CLIENT_CREDENTIALS","PASSWORD","REFRESH_TOKEN"]
  ],
  "supportedResponseTypes":[ "java.util.HashSet", [ "code" ] ],
  "theme": "apereo",
  "description" : "This service definition authorizes all application urls that support HTTPS and IMAPS protocols.",
  "evaluationOrder" : 10000,
  "attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
  },
  "accessStrategy" : {
    "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
    "enabled" : true,
    "ssoEnabled" : true
  }
}

Thank you in advance. 

--

Δρ. Νικόλας Στυλιανίδης

Ηλεκτρολόγος Μηχανικός και Μηχ. Υπολογιστών

Nikolas Stylianides, Dr. 

Dr. Eng. in Electrical & Computer Engineering

Contacts

-------------

Mobile Tel.: +35796741315

Email: nstyli...@leafnet.com.cy, nstyli...@gmail.com

Skype: nicostyl

Affilication

---------------

LEAF NET LTD: Research & Development

Open University of Cyprus: Research Associate, APPLIED HEALTH INFORMATICS Master Programme Academic Board Member

Tο λακωνίζειν εστί φιλοσοφείν / Μηδέν Άγαν - Χίλων ο Λακεδαιμόνιος:                                         

Brevity is the soul of wit - Shakespeare William (Hamlet)  

[Nikolas Stylianides]

Hi there. 

Another strange behavior is the following. 

I am setting my Moodle to OIDC and the procedure goes well. Once i "Allow" the the claims it does not get any user info. 

CAS Debugger reports: <No person records were fetched from attribute repositories for [{username=c44c3fc514202ac9a8cc5cf6437c1c21}]>

which username is actually client_id

[Nikolas Stylianides]

when i use the PASSWORD grant_type and then use the return token to fetch user information from oidc/profile this is what i get. 

{

    "sub": "aUserName",

    "service": "client_id",

    "auth_time": 1597989795,

    "attributes": {},

    "id": " aUserName  ",

    "client_id": "client_id"

}

Any ideas why i have no claims in the return JSON?

Maybe the same happens with the AUTHORIZATION_CODE grant_type?

[Jérôme Steve]

Hi,

In cas OIDC claims values come from  attribute repositories.
So you have to define it to retrieved your attributes value. 

And after you can map it to the OIDC claims.

Jérôme

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e9ce28d5-72f9-4229-9dcc-51ad9a8e1150n%40apereo.org.

[Nikolas Stylianides]

Hi Jerome. Thank you for the response. 

I am a little bit confused. What to define? 

When it comes to get the user info, CAS Debugger it reports: 

I have been able to release attributes in the attribute claim

{

    "sub": "test",

    "service": "client_id",

    "auth_time": 1598017095,

    "attributes": {

        "email": "inf...@gmail.com",

        "profile": "test"

    },

    "id": "test",

    "client_id": "client_id"

}

by enabling: 

cas.authn.attribute-repository.ldap[0].attributes.cn=profile
cas.authn.attribute-repository.ldap[0].attributes.mail=email

But still i cannot release the CLAIMS for the requested scopes (email, profile)

Thank you in advance

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD6Knbz0u4iNgJL8MA%2Bq9_c7NFF92VpqgGh-zR_WRbdz8H0Z-Q%40mail.gmail.com.

[Nikolas Stylianides]

Anyone with an answer for this behavior? 

I can now release attributes but only under the field "attributes".

Anything i am missing to be able to release claims in the format: 

{

    "email": "inf...@gmail.com",

    "given_name": "test",

    "sub": "test",

    "service": "client_id",

    "auth_time": 1598017095,

    "id": "test",

    "client_id": "client_id"

}

[Jérôme Steve]

First,I think you have to définie attributs.username correspondibg to jour login :

https://apereo.github.io/cas/5.1.x/integration/Attribute-Release-Policies.html

After you have to maps attributs to claims :

https://apereo.github.io/cas/5.1.x/installation/OIDC-Authentication.html#mapping-claims

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f3be7f46-156e-4d64-a481-cc39eb7d2a48n%40apereo.org.

[Nikolas Stylianides]

Hi Jerome. Keep in mind that my CAS release is 6.2.1.

I have no attributes.username since I collect my attributes during the LDAP authentication. 

I have also tried mapping claims to attributes with no luck. 

In the document action it says that If no mapping is provide then the attributes names must much the claim names. I do that also in my service definition file.

Still no luck. 

All claims are included under the field "attributes"

Which is not the response I expect.

Has anyone solved this in 6.2.1?

Maybe is a bug? 

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD6KnbxsAjjKyJ5bxQwBaE1GJy36pAF5xNQa-c_ZN8wowsmSaQ%40mail.gmail.com.

[Nikolas Stylianides]

I have gone this further. 

I declare a SCOPE of my own. With specific CLAIMS. 

And this claims are mapped to attributes. 

All claims appear in field "attributes" and not in the top hierarchy. 

is this normal?

[Jérôme Steve]

OK with LDAP maybe it not username but uid ...

But after you have to mapn your CAS attributes to jour OIDC DEFINE CLAIMS like this :

https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties.html#openid-connect-scopes--claims

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGp1hEXFAV5XWB2jsohMTuxRH00FKbmMgXhuOQNQnCwp2293WA%40mail.gmail.com.

[Jérôme Steve]

Email ans profile are not claims but scope ...

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGp1hEXsCPhv6HsedTkEM3QZ2KnPZQyO1sdSkUBZidtFAM8abQ%40mail.gmail.com.

[Jérôme Steve]

If you définie a custom clami "attributes" it's normal i think.

Show me your custuom configuration to be sure.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGp1hEVqj_5z7xrKFxHzOOdTXHD92_2Efuh_GhgScYQfo-m0mw%40mail.gmail.com.

[Nikolas Stylianides]

I will send you the configuration files.

I am not declaring any attribute claim.

email is both a scope and a claim.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD6KnbzAaFg3%3D2EOtySWJ_3pdrAXCc7CFtuycdmvZQ37FU1t0g%40mail.gmail.com.

[Nikolas Stylianides]

Hi Jerome. Please find below the configuration file and the service file.

Service File

=========

{
  "@class" : "org.apereo.cas.services.OidcRegisteredService",
  "serviceId" : ".......",
  "name" : "MYSERVICE",
  "id" : 105,

  "clientId": "...",
  "clientSecret": "...",

  "supportedGrantTypes":[ "java.util.HashSet",
    ["AUTHORIZATION_CODE","CLIENT_CREDENTIALS","PASSWORD","REFRESH_TOKEN"]
  ],

  "scopes": [ "java.util.HashSet",[ "openid","profile", "email","myownscope" ]],
  "supportedResponseTypes":[ "java.util.HashSet", [ "code","token","id_token","id_token token","code token" ] ],
  "theme": "apereo",
  "description" : "This service definition allows authorized applications that support HTTPS protocol.",
  "evaluationOrder" : 10,
  "attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
    "allowedAttributes" : {
      "@class" : "java.util.TreeMap",
      "givenName" : "givenName",
      "mail" : "mail",
      "cn":"profile",

    }
  },
  "accessStrategy" : {
    "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
    "enabled" : true,
    "ssoEnabled" : true
  }
}

LDAP Configuration

================

cas.authn.ldap[0].principal-attribute-list=sn,cn,givenName,mail,c,l,telephoneNumber

OID Connect configuration (the ones that are related to claims)

====================

cas.authn.oidc.subject-types=public
cas.authn.oidc.scopes=myownscope,openid,profile,email,address,phone,offline_access
cas.authn.oidc.claims=mail,givenName,sub,name,preferred_username,family_name,given_name,middle_name,given_name,profile,picture,nickname,website,zoneinfo,locale,updated_at,birthdate,email,email_verified,phone_number,phone_number_verified
cas.authn.oidc.userDefinedScopes.myownscopes=mail,givenName

# Add more claims. They will appear in the "attributes" claim.
#
cas.authn.oidc.claimsMap.email=mail
#cas.authn.oidc.claimsMap.preferred_username=given_name
cas.authn.oidc.claimsMap.given_name=givenName

[Jérôme Steve]

Hi Nikolas,

Si after looking tour configuration, nom it's not "normal". Claims should ne appear on thé top level ans not un an attributs claims.

First, try to remove your attributeReleasePolicy un you service.json.

Also I haven't test 6.2, I'm still In 6.1. So maybe it's an improvement, but " "attributes" it's not a standard claims un OIDC ...

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGp1hEVKyTn59aUmMD28z8jNB_sYULr5pEbDzqUoZ0ViWD37LA%40mail.gmail.com.

[Nikolas Stylianides]

Hi Jerome. 

Just tried that. See my service configuration below. 

The same outcome. 

{
  "@class" : "org.apereo.cas.services.OidcRegisteredService",
  "serviceId" : "...",
  "name" : "servicename",

  "id" : 105,
  "clientId": "...",
  "clientSecret": "...",
  "supportedGrantTypes":[ "java.util.HashSet",
    ["AUTHORIZATION_CODE","CLIENT_CREDENTIALS","PASSWORD","REFRESH_TOKEN"]
  ],
  "scopes": [ "java.util.HashSet",[ "openid","profile", "email" ]],

  "supportedResponseTypes":[ "java.util.HashSet", [ "code","token","id_token","id_token token","code token" ] ],
  "theme": "apereo",
  "description" : "This service definition allows authorized applications that support HTTPS protocol.",
  "evaluationOrder" : 10,

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD6KnbwMFSXnim84tCRpQYUU1XKS%2BuNs6e_L41DvDdRkru75MA%40mail.gmail.com.

[Nikolas Stylianides]

Hi Jerome. 

Any ideas about this? 

Anyone else from the developer team? 

Is this a bug of 6.2.x or a feature?

[Jérôme Steve]

Hi Nikolas,

I have no idea sorry. It works like excepted in 6.1.

Jérôme.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGp1hEUOE-qufm9nRWAhb4yFuLKUYb_3oGvJGOdmFz6HrF_WTg%40mail.gmail.com.

[Nikolas Stylianides]

Hi Jerome. 

I have deployed 6.1 and the behavior is the same. 

Claims are nested in "attributes".

Can you please share with me your configuration? 

Maybe i miss something. 

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD6KnbwHtH8%3D5uS0wa%2BmFZCyCjg20wPfEjw%3DPk%2B_pnvBOXGGOw%40mail.gmail.com.

[Jérôme Steve]

Hi,

Yes I chek it this afternoon, and effectively I have it too. Sorry for that, I never had to use it ...

Your problem is here : 

cas.authn.oidc.userDefinedScopes.myownscopes=mail,givenName

cas.authn.oidc.userDefinedScopes.myownscopes=email,given_name
cas.authn.oidc.claimsMap.email=mail
cas.authn.oidc.claimsMap.given_name=givenName

In your userDefinedScopes.myownscopes you have to specify claims and not attributes directly.

Jérôme.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGp1hEVn7TprvkianWhiugPN5WROTkjOFdFGkukWAZYnxV%2BTgA%40mail.gmail.com.

[Nikolas Stylianides]

Hi Jerome. 

Tried that. 

No change. It still includes the claims in the "attributes" fields of the JSON information it sends back. 

Check 2 scenarios with conifgurations i have tried. 

Its really strange. I cannot actually understand how it resolves claims. 

Can you please provide me from the configuration files and the services you have only the part that SCOPES and CLAIMS are concerned? 

Thank you in advance. 

*[Scenario A](#scenario-a)
*[Scenario B](#scenario-b)

# Scenario A
## Settings
```
cas.authn.oidc.user-defined-scopes.myownscope=email,given_name,preferred_username
cas.authn.oidc.claimsMap.email=mail
cas.authn.oidc.claimsMap.given_name=givenName
```
## Outcome
```
{
    "sub": "username",
    "service": "c44c3fc514202ac9a8cc5cf6437c1c21",
    "auth_time": 1598508832,
    "attributes": {
        "email": "a...@gmail.com",
        "given_name": "TestMe"
    },
    "id": "username",
    "client_id": "c44c3fc514202ac9a8cc5cf6437c1c21"
}
```
## Debug CAS 
<Located claim [email] mapped to attribute [mail], yet resolved attributes [{email=[a...@gmail.com], given_name=[TestMe], oauthClientId=[c44c3fc514202ac9a8cc5cf6437c1c21]}] do not contain this attribute>
<Located claim [given_name] mapped to attribute [givenName], yet resolved attributes [{email=[a...@gmail.com], given_name=[TestMe], oauthClientId=[c44c3fc514202ac9a8cc5cf6437c1c21]}] do not contain this attribute>


# Scenario B

##Settings
```
cas.authn.oidc.user-defined-scopes.myownscope=mail,givenName
cas.authn.oidc.claimsMap.email=mail
cas.authn.oidc.claimsMap.given_name=givenName
```
## Outcome

```
{
    "sub": "username",
    "service": "c44c3fc514202ac9a8cc5cf6437c1c21",
    "auth_time": 1598509383,
    "attributes": {
        "email": "a...@gmail.com",
        "given_name": "TestMe",
        "givenName": "TestMe",
        "mail": "a...@gmail.com"
    },
    "id": "username",
    "client_id": "c44c3fc514202ac9a8cc5cf6437c1c21"
}
```

## Debug CAS 
no complaining for missing attributes

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD6KnbyYi9WAkhBbxZ-Uiu6fdZjGzDLBve05_%2BRWjU97Uox_GA%40mail.gmail.com.

[Jérôme Steve]

Hi Nikolas,

For me senario A should be put claims on the attributes and on the top level.
My configuration :

# Supported scopes
cas.authn.oidc.scopes=openid,profile,email,address,phone,profile_test

# Supported claims
cas.authn.oidc.claims=sub,name,preferred_username,family_name, \
    given_name,middle_name,given_name,profile, \
    picture,nickname,website,zoneinfo,locale,updated_at,birthdate, \
    email,email_verified,phone_number,phone_number_verified,address, \
    claim_test

cas.authn.oidc.userDefinedScopes.profile_test=claim_test
cas.authn.oidc.claimsMap.claim_test=attr_test

That it.

output :

{
    ...
    "claim_test": "test_value",
    ...
    "attributes": {
        "claim_test": "test_value"
    },
    ...
}

Jérôme.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGp1hEUSfLpMgY3xiC_Jxs_2ek0C3Ez%2B5Jc6TGw41wfhEJPRRA%40mail.gmail.com.

[Nikolas Stylianides]

Thank you Jerome. i will try that. 

What is your configuration in the Service file? 

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD6KnbxpZCFe%3DgdE5WB8ZwA6Cx_6gyT%2BwqAbfK5H_%2B02-ptTbg%40mail.gmail.com.

[Nikolas Stylianides]

i have retested it. 

attributes appear only in "attributes" and not as Claims. 

Maybe this is a bug that must be reported to the development team to fix? 

How do we report a bug? Is this deployed also in 6.3 ???

[Nikolas Stylianides]

I think it fails to create the claim on the first level and debugger (org.apereo.cas.oidc.profile) reports: 

<Located claim [username] mapped to attribute [cn], yet resolved attributes [{email=[a...@gmail.com], given_name=[TestMe], oauthClientId=[c44c3fc514202ac9a8cc5cf6437c1c21], username=[test]}] do not contain this attribute>

My output is: 

{
    "sub": "test",
    "service": "...",
    "auth_time": 1598521164,

    "attributes": {
        "email": "a...@gmail.com",
        "given_name": "TestMe",

        "username": "test"
    },
    "id": "test",
    "client_id": "..."
}

[Nikolas Stylianides]

Hi Jerome.

I see the same issue with CAS 5.2 - OIDC and attribute release conversation

Claims are not exported as supposed to do. 

Is this a Bug of the OIDC implementation? 

 

[Jérôme Steve]

Hi Nikolas,

Sorry, I missed your email.
it's not a bug, it's work for me in 6.1.x

In your user define scope you use claims name already define as default claims .. Maybe it's the problems.

Try to remove our user define scope and map directly to default claims like this :

cas.authn.oidc.claimsMap.email=mail
cas.authn.oidc.claimsMap.given_name=givenName

Or rename your claims in your custom scopes like this :

cas.authn.oidc.user-defined-scopes.myownscope=my_email,my_given_name,my_preferred_username
cas.authn.oidc.claimsMap.my_email=mail
cas.authn.oidc.claimsMap.my_given_name=givenName

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGp1hEX-6ZF3x_PRJX0tNZX2OZmiUBD3C8rdPJHEEsJE4jW4ag%40mail.gmail.com.

[He Vincent]

I confirmed it works fine in cas6.3, but I have a production runs in cas5.3. and it does not work.

Profile got only like this:

{

    "sub": "vin...@mydomain.com",

    "auth_time": 1631780270,

    "id": "vin...@mydomain.com"

}

I want email instead of id, anyway to archive it in cas5.3?