OpenID Connect not working due attributes missing in top level user info
113 views
Skip to first unread message
Markus Kahl
Jul 10, 2024, 5:41:20 AMJul 10
to CAS Community
Hi,
we're trying to add CAS as an OpenID Connect to provider for an OpenProject installation.
We've gotten as far as the user being redirected to CAS to login and coming back to OpenProject.
However, the issue then is that there are no user attributes in the userinfo response directly (on the same level as 'sub' for instance).
Instead all the attributes are one level below under 'attributes'.
{
"sub"=>"admin",
"service"=>"https://192.168.56.10/openproject/auth/cas/callback",
"auth_time"=>1715934410,
"attributes"=>{
"mail"=>"ad...@example.net",
"displayName"=>"admin",
"surname"=>"admin",
"givenName"=>"admin",
"groups"=>["admin"],
"cn"=>"admin",
"username"=>"admin"
},
"sub"=>"admin",
"service"=>"https://192.168.56.10/openproject/auth/cas/callback",
"auth_time"=>1715934410,
"attributes"=>{
"mail"=>"ad...@example.net",
"displayName"=>"admin",
"surname"=>"admin",
"givenName"=>"admin",
"groups"=>["admin"],
"cn"=>"admin",
"username"=>"admin"
},
According to the OpenID Connect specification [2] these attributes should be one level higher, though.
Like this:
{
"sub"=>"admin",
"name"=>"admin admin",
"family_name"=>"admin",
"given_name"=>"admin",
"email"=>"ad...@example.net"
}
"sub"=>"admin",
"name"=>"admin admin",
"family_name"=>"admin",
"given_name"=>"admin",
"email"=>"ad...@example.net"
}
I found the same issue in [1] but it seems it was never resolved.
I'm 99% sure this is not an issue on the OpenProject side which simply uses default gems/libraries for the OpenID Connect things and works just fine with Google, MS Entra, Keycloak etc. via OpenID Connect.
So I suspect this must be an option on the CAS side.
Is there any hint I can give the people running the CAS instance as to what to look for?
Best regards,
Markus
Petr Fišer
Jul 10, 2024, 7:03:59 AMJul 10
to cas-...@apereo.org, Markus Kahl
Hello,
This is what you need https://apereo.github.io/cas/6.6.x/authentication/OAuth-Authentication-UserProfiles.html .
Do not mind that it is for OAuth. CAS extends the OAuth services to enable OIDC on them... so the OAuth part of documentation is also valid for OIDC.
Cheers,
Fiisch
This is what you need https://apereo.github.io/cas/6.6.x/authentication/OAuth-Authentication-UserProfiles.html .
Do not mind that it is for OAuth. CAS extends the OAuth services to enable OIDC on them... so the OAuth part of documentation is also valid for OIDC.
Cheers,
Fiisch
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b6f03ef5-2b59-41d7-979e-12e1e35e6813n%40apereo.org.
Markus Kahl
Jul 10, 2024, 7:04:00 AMJul 10
to Petr Fišer, cas-...@apereo.org
Hello Fiisch
Thank you so much! That ought to do it!
Best regards,
Markus
Markus
Reply all
Reply to author
Forward
0 new messages