CASE 7.3.2: How to filter attributes in an OAuth service?
62 views
Skip to first unread message
jean-baptiste CASsys
Feb 18, 2026, 10:12:53 AM (8 days ago) Feb 18
to cas-...@apereo.org
Hello,
I am working on updating our CAS from version 5.3 to version 7.3.2.
CAS V2, CAS V3 and OIDC authentication are working fine, and we are able to choose the attributes to return to the client based on the different services.
However, I am unable to define the attributes to be returned with the OAuth connection method. Each time, I retrieve all the fields defined by "ldap.principal-attribut-list".
In the OAuth service, I am using the class:
I am working on updating our CAS from version 5.3 to version 7.3.2.
CAS V2, CAS V3 and OIDC authentication are working fine, and we are able to choose the attributes to return to the client based on the different services.
However, I am unable to define the attributes to be returned with the OAuth connection method. Each time, I retrieve all the fields defined by "ldap.principal-attribut-list".
In the OAuth service, I am using the class:
"@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
However, it appears that the following classes are not being used :
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.DenyAllAttributeReleasePolicy"
}
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy",
"excludedAttributes": ["java.util.LinkedHashSet", ["cn"]]
}
"attributeReleasePolicy" : {
"@class": "org.apereo.cas.services.ReturnStaticAttributeReleasePolicy",
"allowedAttributes": {
"@class": "java.util.LinkedHashMap",
"permissions": [ "java.util.ArrayList", [ "read", "write", "admin" ] ]
}
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "cn", "mail", "sn" ] ]
}
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"eduPersonAffiliation" : "affiliation",
"groupMembership" : "group"
}
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnLinkedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"component" : ["java.util.ArrayList", ["cn", "givenName", "unknown", "firstName"]]
}
}
The only thing I managed to get working in "attributeReleasePolicy" is the class related to adding attributes via Groovy:
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"uid" : "groovy { return attributes['uid'].get(0) + ' is great' }"
}
For collecting attributes during LDAP connection, I use the following settings:
authn:
policy:
required-attributes:
enabled: false
authentication-attribute-release:
enabled: false
only-release: sn,uid, givenName
attribute-repository:
core:
default-attributes-to-release: sn,uid, givenName
ldap:
- type: AUTHENTICATED
ldap-url: ${LDAP_HOST}
base-dn: "ou=people,dc=univ-cas,dc=fr"
search-filter: "(uid={user})"
bind-dn: ${LDAP_USER}
bind-credential: ${LDAP_PASSWORD}
dn-format: "uid={user},ou=people,dc=univ-cas,dc=fr"
principal-attribute-id: uid
principal-attribute-list:
- memberOf
- mail
- mailQuota
- sn
- cn
- givenName
- displayName
- uid
- mailAlternateAddress
- personAffiliation
- pwdChangedTime
- synchroEdt
- supannRefId
- supannEntiteAffectation
- title
- supannRoleEntite
- posteOccupe
oauth:
core:
bypass-approval-prompt: true
oidc:
core:
claims-map:
uid: uid
family_name: sn
given_name: givenName
name: cn
preferred_username: displayName
email: mail"
groups: memberOf
user-defined-scopes:
groups: groups
id-token:
include-id-token-claims: false
discovery:
scopes: openid, profile, email, groups
claims:
- sub
- given_name
- family_name
- name
- email
- groups
In addition, we have activated the following dependencies:
dependencies {
implementation enforcedPlatform("org.apereo.cas:cas-server-support-bom:${project.'cas.version'}")
implementation platform(org.springframework.boot.gradle.plugin.SpringBootPlugin.BOM_COORDINATES)
implementation "org.apereo.cas:cas-server-core-api-configuration-model"
implementation "org.apereo.cas:cas-server-webapp-init"
if (appServer == '-tomcat') {
implementation "org.apereo.cas:cas-server-webapp-init-tomcat"
}
developmentOnly "org.springframework.boot:spring-boot-devtools:${project.springBootVersion}"
implementation "org.apereo.cas:cas-server-support-rest"
implementation platform("org.apereo.cas:cas-server-support-bom:${project.version}")
implementation "org.apereo.cas:cas-server-core:${project.version}"
implementation "org.apereo.cas:cas-server-support-ldap"
implementation "org.apereo.cas:cas-server-support-ldap-core"
implementation "org.apereo.cas:cas-server-webapp"
implementation "org.apereo.cas:cas-server-support-oauth:${project.version}"
implementation "org.apereo.cas:cas-server-support-oauth-webflow:${project.version}" /* DIA */
implementation "org.apereo.cas:cas-server-support-oidc:${project.version}"
implementation "org.apereo.cas:cas-server-core-authentication-attributes:${project.version}"
implementation "org.apereo.cas:cas-server-core-services:${project.version}"
implementation "org.apereo.cas:cas-server-support-git-service-registry:${project.version}"
implementation "org.apereo.cas:cas-server-support-oidc-core:${project.version}"
implementation "org.apereo.cas:cas-server-support-generic"
implementation "org.apereo.cas:cas-server-core-scripting"
testImplementation "org.springframework.boot:spring-boot-starter-test"
}
Thank you in advance.
Reply all
Reply to author
Forward
0 new messages