CAS 5.2 + OIDC : custom scope consent error

[jm t]

Dear community,

I have setup the following:

• CAS 5.2 from maven overlay
• JDBC query authentification along custom attributes.
• All custom attribute are added to cas.authn.attributeRepository.defaultAttributesToRelease
• JSON service to allow using CAS from moodle
  
• It includes the following to release all attribute and disable consent

  "attributeReleasePolicy":

  {

    "@class": "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",

    "principalAttributesRepository":

    {

      "@class": "org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository",

      "expiration": 2,

      "timeUnit": "HOURS"

    },

    "consentPolicy":

    {

      "@class": "org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy",

      "enabled": false

    },

    "authorizedToReleaseAuthenticationAttributes": true

  }

• OIDC configuration into cas.properties
• cas.authn.oidc.scopes=openid,mycustom
  
• cas.authn.oidc.claims=openid,sub,name,preferred_username,family_name,given_name,middle_name,given_name,nickname,email
  
• I created a mapping to all these claims using my custom attributes
• All custom attributes are listed into cas.authn.oidc.userDefinedScopes.mycustom
  
• For each custom attribute in  jdbc, I have a mapping even if they have same name so it should not be required
• JSON service to allow test oidc client
• It includes the same attribute release policy block
• It also includes the custom scope
  "scopes": [ "java.util.HashSet", [ "mycustom" ]  ]
  

I can log both with CAS login or from my moodle. The authentification works and the attributes are resolves properly.

The problems are as follow:

• Testing oidc using https://bitbucket.org/connect2id/openid-connect-dev-client bring me to the login page, authentication is working and the attributes are properly fetched.
• I am sure about that as the consent page is shown with all the attributes and proper values from my db. The issue is that the enable flag is set to false in my json.
• On accept an error is shown about not proper login time. The java is more interresting:
  Error: Exception thrown executing org.apereo.cas.web.flow.ConfirmConsentAction@39d73eea in state 'confirmAttributeConsent' of flow 'login' -- action execution attributes were 'map[[empty]]'
• Starting the server with debug message show that the oidc client service is properly loaded. I can see my value in the console. After the first load a message is show about scope / claim reconcilation. In that new message the content block is replaced by:
  [excludeAttributes=<null>,includeOnlyAttributes=<null>,enabled=true]
• Reconciliation always end with the null,null,true regardless of the json content
• authorizedToReleaseAuthenticationAttributes after reconciliation matches what is in the json

What I am doing wrong? I have some suspicion about the following but I failed to assert them properly.

• Looks like jdbc query expect some predefined & default fields and names but I have not found the exact list of these. The doc mentioned expected table fields but they do not match stuff like displayName or cn or uid.
• openid scope has mandatory attributes. How are they mapped to the default from CAS. I have defined a mapping for those and add them to cas.authn.oidc.claims.
• Could the issue be related to recent commits 
• https://github.com/apereo/cas/commit/8cd83063c277f7c58a1921953cc1d13cc257a0e9 - Oidc claims filtering
• https://github.com/apereo/cas/commit/e89bdcab4d877fb3e5ad3b6d5ccf0b96f94275aa - Window hour checking
  

As a more general question, how would you setup apereo cas so that:

• Validate from jdbc only and fetch a set of custom attributes - done
• Release all these attributes acting as an oidc or saml2 provider. No consent, no filtering nor subset release. All attributes plain and simple.

Thanks in advance for your answers,

JM