CAS v7.3.3 vs OIDC vs attributes value base64

[livio dezorzi]

I have some attribute values ​​encoded in base64 due to special characters: French conventions. With SAML, the values ​​display correctly, but with OIDC, they don't. Is there some subtlety I'm missing ? Have you encountered this issue ?

Thanks

Regards

[livio dezorzi]

Hi,

I would like to provide you with some further details regarding the log and the configuration OIDC :

I use an Tomcat11 with JDK 21 expose on 443 port.

The attributes from CAS are mapped as follows in cs.properties :

# Inclusion des claims dans les tokens
cas.authn.oidc.id-token.include-id-token-claims=true
cas.authn.oidc.core.claims-map.email=mailRoutingAddress
cas.authn.oidc.core.claims-map.MemberOf=groupe
cas.authn.oidc.core.claims-map.firstname=givenName
cas.authn.oidc.core.claims-map.lastname=sn
cas.authn.oidc.core.claims-map.displayname=displayName
cas.authn.oidc.core.claims-map.compteactif=compteactif
cas.authn.oidc.core.claims-map.fonctionuser=fonctionlibelle
cas.authn.oidc.core.claims-map.secteuruser=secteurlibelle
cas.authn.oidc.core.claims-map.serviceuser=servicelibelle
cas.authn.oidc.core.claims-map.departementuser=departementlibelle
cas.authn.oidc.core.claims-map.directionuser=directionlibelle
cas.authn.oidc.core.claims-map.contrat=employeeType
cas.authn.oidc.discovery.claims=sub,uid,email,firstname,lastname,displayname,compteactif,fonctionuser,serviceuser,departementuser,directionuser,contrat,MemberOf
cas.authn.oidc.core.user-defined-scopes.organisation=fonctionuser,serviceuser,departementuser,directionuser
cas.authn.oidc.core.user-defined-scopes.profile=firstname,lastname,displayname,compteactif,contrat
cas.authn.oidc.core.user-defined-scopes.email=email
cas.authn.oidc.core.user-defined-scopes.memberofargos=MemberOf
cas.authn.oidc.core.user-defined-scopes.memberofedgar=MemberOf
cas.authn.oidc.core.user-defined-scopes.memberofsigport=MemberOf
cas.authn.oidc.discovery.scopes=openid,profile,email,organisation,memberofargos,memberofedgar,memberofsigport

and we can clearly see the released attributes in the log :

=============================================================
WHEN: 2026-02-24T14:28:30.878608180
WHO: audit:unknown
WHAT: {service=https://testoidc.example.net/cas/oidc/authorize, scope=[organisation, memberofedgar, openid, email, profile], attributes={departementuser=[Département infrastructures usages et postes de travail], fonctionuser=[Ingénieur systèmes et réseau], firstname=[Alain], directionuser=[Direction des systèmes d'information], contrat=[Permanent], MemberOf=[argos, edgar, supervision], displayname=[Alain DELOING], compteactif=[true], serviceuser=[Service infrastructures], email=[alain....@example.fr], lastname=[DELOING]}, id=adeloing, client_id=WwWNfRLCBStw1X3x0F7hYIm5m5z0UY}
ACTION: OAUTH2_USER_PROFILE_CREATED
CLIENT_IP: 192.168.1.111
SERVER_IP: 192.168.1.59
=============================================================

Attribute values ​​containing special characters are displayed : like fonctionuser=[Ingénieur systèmes et réseau],

But after authentication, they not displayed in my browser. I use an php index to display the attributes with his value like this :

$attributes = getallheaders();

<?php if (!empty($attributes)): ?>
<table>
    <tr>
        <th>Nom de l’attribut</th>
        <th>Valeur(s)</th>
    </tr>
    <?php foreach ($attributes as $name => $values): ?>
        <tr>
            <td><?= htmlspecialchars($name, ENT_QUOTES, 'UTF-8') ?></td>
            <td><?= htmlspecialchars($values) ?></td>
        </tr>
    <?php endforeach; ?>
</table>
<?php else: ?>
<p><em>Aucun attribut reçu.</em></p>
<?php endif; ?>

OIDC_CLAIM_directionuser : 

OIDC_CLAIM_departementuser : 

OIDC_CLAIM_serviceuser : Service infrastructures
OIDC_CLAIM_email : alain.del...@example.fr
OIDC_CLAIM_lastname : DELOING
OIDC_CLAIM_preferred_username : adeloing

Has anyone else encountered this issue ?

I should point out that under SAML, accented values ​​are displayed like this :  fonction : Ingénieur systèmes et réseau

Regards