principal ID for delegate authentication not transformed?

[Chia-Ying Yang]

I've configured CAS with authentication delegation (Pac4J Google) +
attribute resolution (REST) + interrupt notification (REST).

My attribute resolution REST endpoint translates the principal ID
returned from delegated authentication (of the format
org.pac4j.oauth.profile.google2.Google2Profile#[number], as I have
cas.authn.pac4j.core.typed-id-used=true) and returns it as an attribute
"principal", and together with the
cas.person-directory.principal-attribute=principal setting, this
principal ID then becomes the user's "final" principal ID.

In 5.3.x, the "final" principal ID is then being used to call the
interrupt notification REST endpoint.  This is what I expect.

In 6.3.x / 6.4.x however, the original principal ID
org.pac4j.oauth.profile.google2.Google2Profile#[number] is being used to
call the interrupt notification REST endpoint.  Is this an intentional
change or is this a possible bug?

Thanks,

Chia-Ying

[Chia-Ying Yang]

Posting follow-up in the hopes this may help other people.

I spent more time debugging and was finally able to get it to behave by setting cas.person-directory.principal-resolution-conflict-strategy=first (default is last).  This allows the principal ID to be overridden by an attribute during attribute resolution.

What I don't fully understand is delegate authentication took place first, and attribute resolution via REST took place thereafter.  But while executing the strategy to resolve the multiple principals, the principal object returned by delegate authentication is actually second in the list, while the attribute resolution principal is first in the list.  This is totally counterintuitive -- I'm still trying to pinpoint how this happened and decide whether there is a bug somewhere.  The property above at least let me overcome this counterintuitive behavior and achieve what I want.

Chia-Ying