Issue with CAS 7.2.4 OIDC ID Token
44 views
Skip to first unread message
Prakash Thapa
Apr 4, 2026, 11:37:55 AM (13 days ago) Apr 4
to CAS Community
Hi,
I was using CAS OIDC ID Token to call the AWS resources. It was working fine with CAS 5.2.2 but in CAS 7.2.4, I am getting an issue. The only major change visible on the claims part is the 'preferred_username' claim. Previously it had client id itself, however it has the username now.
It would be nice to hear from anyone facing OIDC related issues after upgrading to CAS 7.
Error Log: software.amazon.awssdk.services.ssooidc.model.AccessDeniedException: Service returned error code AccessDeniedException (Service: SsoOidc, Status Code: 400
CAS 5.2.2 OIDC claims:
{
"jti": "****",
"iss": "https://cas.qc.test.com/cas/oidc",
"aud": "oidc-client",
"exp": 1769536193,
"iat": 1769507393,
"nbf": 1769507093,
"sub": "<username>",
"amr": [],
"state": "",
"nonce": "",
"at_hash": "ryy636__7h2Q",
"name": [
"bypassMultifactorAuthentication",
"successfulAuthenticationHandlers",
"mfaBypassFlag",
"userId",
"credentialType",
"samlAuthenticationStatementAuthMethod",
"bypassedMultifactorAuthenticationProviderId",
"authenticationMethod"
],
"preferred_username": "oidc-client"
}
CAS 7.2.4 OIDC claims:
{
"jti": "***",
"sid": "****",
"iss": "https://cas.qc.test.com/cas/oidc",
"aud": "oidc-client",
"exp": 1775316904,
"iat": 1775288104,
"nbf": 1775287804,
"sub": "<username>",
"client_id": "oidc-client",
"auth_time": 1775288085,
"at_hash": "rrwrM7rrwrwsYw",
"preferred_username": "<username>",
"txn": "rwr242-4r45-e4re-535r-3535f"
}
I was using CAS OIDC ID Token to call the AWS resources. It was working fine with CAS 5.2.2 but in CAS 7.2.4, I am getting an issue. The only major change visible on the claims part is the 'preferred_username' claim. Previously it had client id itself, however it has the username now.
It would be nice to hear from anyone facing OIDC related issues after upgrading to CAS 7.
Error Log: software.amazon.awssdk.services.ssooidc.model.AccessDeniedException: Service returned error code AccessDeniedException (Service: SsoOidc, Status Code: 400
CAS 5.2.2 OIDC claims:
{
"jti": "****",
"iss": "https://cas.qc.test.com/cas/oidc",
"aud": "oidc-client",
"exp": 1769536193,
"iat": 1769507393,
"nbf": 1769507093,
"sub": "<username>",
"amr": [],
"state": "",
"nonce": "",
"at_hash": "ryy636__7h2Q",
"name": [
"bypassMultifactorAuthentication",
"successfulAuthenticationHandlers",
"mfaBypassFlag",
"userId",
"credentialType",
"samlAuthenticationStatementAuthMethod",
"bypassedMultifactorAuthenticationProviderId",
"authenticationMethod"
],
"preferred_username": "oidc-client"
}
CAS 7.2.4 OIDC claims:
{
"jti": "***",
"sid": "****",
"iss": "https://cas.qc.test.com/cas/oidc",
"aud": "oidc-client",
"exp": 1775316904,
"iat": 1775288104,
"nbf": 1775287804,
"sub": "<username>",
"client_id": "oidc-client",
"auth_time": 1775288085,
"at_hash": "rrwrM7rrwrwsYw",
"preferred_username": "<username>",
"txn": "rwr242-4r45-e4re-535r-3535f"
}
Reply all
Reply to author
Forward
0 new messages