Trouble getting email in root of OIDC profile response

[Jake Turner]

Hi all,

I'm running CAS 7.3.2 and I'm running into some trouble getting an external OIDC service to complete a login flow. The external service is expecting the "email" at the root of the /cas/oidc/profile response, but it's only returning inside the "attributes" object.

For example, requesting an authorization code grant with scopes openid, profile, and email and then:

curl --request GET \
  --url https://my-cas-server.com/cas/oidc/profile \
  --header 'Authorization: Bearer my-access-token'

returns:

{
  "sub": "c8345950-15ed-4c55-b7f9-dd7011d6bde0",
  "service": "https://my-external-service.com/auth/oidc/callback",
  "auth_time": 1766524745,
  "attributes": {
    "given_name": "Test",
    "family_name": "User",
    "picture": "https://mycorp.com/avatar.png",
    "email": "tu...@mycorp.com"
  },
  "id": " c8345950-15ed-4c55-b7f9-dd7011d6bde0  ",
  "client_id": "my-external-service"
}

I'm using a dynamic JPA service registry with this service defined as such:

{

"@class": "org.apereo.cas.services.OidcRegisteredService",

"clientId": "my-external-service",

"clientSecret": "my-client-secret",

"serviceId": "https://my-external-service.com/auth/oidc/callback",

"name": "My External Service",

"id": 1,

"logo": "https://mycorp.com/icon.png",

"bypassApprovalPrompt": true,

"supportedResponseTypes": [

"java.util.HashSet",

[

"code"

]

],

"supportedGrantTypes": [

"java.util.HashSet",

[

"authorization_code"

]

],

"scopes": [

"java.util.HashSet",

[

"openid",

"profile",

"email"

]

],

"usernameAttributeProvider": {

"@class": "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",

"usernameAttribute": "uuid",

"principalIdAttribute": "uuid"

}

}

I have tried a few different attributeReleasePolicy configurations, such as " org.apereo.cas.oidc.claims.OidcEmailScopeAttributeReleasePolicy" or " org.apereo.cas.services.ChainingAttributeReleasePolicy" with "org.apereo.cas.oidc.claims.OidcEmailScopeAttributeReleasePolicy" in the chain, but nothing seems to achieve the desired result.

Confirmed I have the following set in cas.properties:
cas.authn.oidc.id-token.include-id-token-claims=false

cas.authn.oidc.discovery.scopes=openid,email,profile
cas.authn.oidc.discovery.claims=sub,given_name,family_name,email,picture.(truncated for brevity)
cas.authn.oidc.core.claims-map.email=email

Any assistance is greatly appreciated!

[Petr Fišer]

You need to set the user profile to FLAT. See https://apereo.github.io/cas/7.3.x/authentication/OAuth-Authentication-UserProfiles.html .

KR,
Fiisch

--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/da443018-eaa5-499a-91b1-1d9100bcf059n%40apereo.org.