How to get google attributes in PAC4J

620 views
Skip to first unread message

Edward

unread,
Oct 24, 2017, 12:47:43 AM10/24/17
to CAS Community
Hi All
i have implemented CAS delegate auth using PAC4J, 
CAS version: 5.1.4

after login via google, and call  user profile URL, ("https://mydomain.com:8443/cas/oauth2.0/profile")
value returned from CAS was only this:
{
  "attributes":
  {
    "clientName": "Google"
  },
  "id": "125418764817264812646"
}]>

how to retrieve other attributes? such as, first_name, email address etc.
and what is the list of fields that google can return? 

Thanks

Carlos Fernandez

unread,
Oct 24, 2017, 9:11:45 AM10/24/17
to cas-...@apereo.org
Hi, Edward,

If you set the org.pac4j logger to level="debug" you'll get Google's JSON response with the user's attributes. To save you the trouble, I found:

gender
displayName
name.givenName
name.familyName
url
image.url
language
access_token

Google may return more if the user has them, but I have not seen them yet. You can reference them in the attribute release policy as described above, and map them to other names using org.apereo.cas.services.ReturnMappedAttributeReleasePolicy if you need them. 


 

Carlos

The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/fd2e9d6a-b714-4bef-9f00-3222dc8b0f51%40apereo.org.

Jérôme LELEU

unread,
Oct 24, 2017, 10:12:41 AM10/24/17
to CAS Community
Hi,

What scope did you define?


Google

Delegate authentication to Google.

1
2
3
4

# cas.authn.pac4j.google.id=
# cas.authn.pac4j.google.secret=
# cas.authn.pac4j.google.scope=EMAIL|PROFILE|EMAIL_AND_PROFILE
# cas.authn.pac4j.google.clientName=
Thanks.
Best regards,
Jérôme


To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/fd2e9d6a-b714-4bef-9f00-3222dc8b0f51%40apereo.org.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANUog5ZpBtUGNL7_BQumSMvEdySh7iVCx7j3mM_OgK69aB0OOw%40mail.gmail.com.

Edward

unread,
Oct 26, 2017, 12:28:45 AM10/26/17
to CAS Community
Hi All,
Thank you very much for your response:

1. my scope for google is:
cas.authn.pac4j.google.scope=EMAIL_AND_PROFILE

2. after add logging.level.org.pac4j=DEBUG
i can see in the log that google return lot of attributes:
2017-10-26 11:56:34,573 INFO [org.pac4j.oauth.profile.creator.OAuth20ProfileCreator] - <UserProfile: {
 "kind": "plus#person",
 "etag": "\"xxxxxxxxxx/xxxxxxxxxxxxxxxxx\"",
 "emails": [
  {
   "value": "xxxxx.x...@gmail.com",
   "type": "account"
  }
 ],
 "objectType": "person",
 "id": "15125125125125",
 "displayName": "xxxxxx",
 "name": {
  "familyName": "XXXXX",
  "givenName": "Xxxxxxx"
 },
 "image": {
  "isDefault": false
 },
 "isPlusUser": true,
 "language": "en_GB",
 "circledByCount": 6,
 "verified": false
}
>

but the final user profile JSON string i got is still the same, not the full one like above.
{
  "attributes":
  {
    "clientName": "Google"
  },
  "id": "15125125125125"
}


3. this is how i get CAS user profile :
HttpClient client = new HttpClient();
GetMethod method = new GetMethod(profileUrl);
client.executeMethod(method);
resultStr = method.getResponseBodyAsString();
//resultStr only contain above JSON string.

4. in the service configuration:
{
  @class: org.apereo.cas.support.oauth.services.OAuthRegisteredService
  name: CAS User Management
  id: 1506918968305
  description: CAS user management
  proxyPolicy:
  {
    @class: org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy
  }
  evaluationOrder: 0
  usernameAttributeProvider:
  {
    @class: org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider
    canonicalizationMode: NONE
    encryptUsername: false
  }
  attributeReleasePolicy:
  {
    @class: org.apereo.cas.services.ReturnAllAttributeReleasePolicy
    principalAttributesRepository:
    {
      @class: org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository
      expiration: 2
      timeUnit: HOURS
    }
    authorizedToReleaseCredentialPassword: false
    authorizedToReleaseProxyGrantingTicket: false
    excludeDefaultAttributes: false
  }

......

i still cannot get the additional attributes from google. 
Any suggestion? 

Thanks!

Martin Bohun

unread,
Oct 26, 2017, 1:33:24 AM10/26/17
to CAS Community
I have a full working version of that at: https://github.com/AtlasOfLivingAustralia/ala-cas-2.0
However that version is based on cas-4.0.4/pac4j-1.7.2 so you have to adjust it to your needs; I was using it and tested it succesfully for "one click" SignUP/SignIN with:
- Facebook
- Google
- Twitter
- LinkedIn
- GitHub
- Windoze

basically the user clicks on the social media button, we do the auth with pac4j, the social media sends back attributes, we use to either:
1. lookup an existing user (based on the email returned back by social media) and log them in, or:
2. if the user (email) does not exist we create them (suing the email, first name, second name) and log them in (avoiding the need for the signup confirmation email) 

The actual attribute extraction is done in: 

It is a good starting point, easy to adopt to whatever you need,

cheers,

martin

Jérôme LELEU

unread,
Oct 26, 2017, 3:51:50 PM10/26/17
to CAS Community
Hi,

It should work. The authentication delegation is handled by the ClientAction or DelegatedClientAuthenticationAction class (the name has changed over versions) which uses the ClientAuthenticationHandler. In this handler, the user profile attributes are used to build the SimplePrincipal: when you turn on the DEBUG logs on org.jasig/org.apereo, what do you see for the built principal?
Thanks.
Best regards,
Jérôme


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6c9869dc-f7d4-42d7-9aba-c846d2fb810c%40apereo.org.

Indika Munaweera

unread,
Mar 14, 2019, 12:55:56 PM3/14/19
to CAS Community
I am having the same issue. 
 [result=Service Access Granted,service=http://localhost:5555/login/cas,principal=SimplePrincipal(id=102313159136078677102, attributes={access_token=[ya29.GlzMBibZB2IIac9qMvpdqQ3ZqOufogMmVCkDFvsSG3-qM88mb_Sa-CgNcK0LLHFxO4TJ_ugz7uiTDFUOW7YTi_PXVgVTmuIGYWSdzt11pPpVoxfc6s66OK1DcTJRvw], displayName=[Indika Munaweera], emails=[org.pac4j.oauth.profile.google2.Google2Email@6b8a5964], image.url=[https://lh3.googleusercontent.com/-r9n1gDd0euo/AAAAAAAAAAI/AAAAAAAABrw/YFvvFzZ25T4/s50/photo.jpg], language=[en], name.familyName=[Munaweera], name.givenName=[Indika]}),requiredAttributes={}]

I need emails=[org.pac4j.oauth.profile.google2.Google2Email@6b8a5964]object in JSON format as the other values. 

Any help is highly appreciated. 

Thanks,
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

Andy Ng

unread,
Mar 14, 2019, 11:26:24 PM3/14/19
to CAS Community
Hello,

What version of CAS are you in? If you are in CAS > 5.3.9 (or the latest CAS 6.x), since Pac4j is updated to 3.6.1:

You should see that emails is no longer there and there is an email attribute instead (which is in plain string)

So you can get that very easily, no need to decode handle Google2Email.


See if the above helps you

Cheers!
- Andy

Indika Munaweera

unread,
Mar 15, 2019, 3:08:55 AM3/15/19
to CAS Community
Thank you very much Andy.

I was using CAS 6.0.0-RC4-SNAPSHOT and upgraded to 6.1.0-RC3-SNAPSHOT. I really appreciate you taking the time to answer my question.

Danielo De León

unread,
Jul 12, 2024, 3:02:15 PM (13 days ago) Jul 12
to CAS Community, Andy Ng
Hello, something similar is happening to me.

In cas apereo v6.6.15 and pac4j v5.4.6, I am trying to log in to Google and Facebook through an endopoint.
In the json I have the following:

{
  "@class": "org.apereo.cas.services.CasRegisteredService",
  "serviceId": ...,
  "name": ...,
  "id": ...,
  "evaluationOrder": 1,
  "description": "CAS SSO V6.6.15",
  "theme": "Theme",
  "accessStrategy": {
    "@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
    "enabled": true,
    "ssoEnabled": true
  },
  "properties": {
    "@class": "java.util.HashMap",
    "httpHeaderEnableXFrameOptions": {
      "@class": "org.apereo.cas.services.DefaultRegisteredServiceProperty",
      "values": [
        "java.util.HashSet",
        [
          "true"
        ]
      ]
    }
  },
  "attributeReleasePolicy": {
    "@class": "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
    "principalIdAttribute": "email",
    "allowedAttributes": [
      "java.util.ArrayList",
      [
        "email",
        "name",
        "first_name",
        "last_name",
        "given_name",
        "family_name"
      ]
    ]
  },
  "singleSignOnParticipationPolicy": {
    "@class": "org.apereo.cas.services.ChainingRegisteredServiceSingleSignOnParticipationPolicy",
    "createCookieOnRenewedAuthentication": "TRUE",
    "policies": [
      "java.util.ArrayList",
      [
        {
          "@class": "org.apereo.cas.services.AuthenticationDateRegisteredServiceSingleSignOnParticipationPolicy",
          "timeUnit": "SECONDS",
          "timeValue": 2592000,
          "order": 0
        }
      ]
    ]
  }
}

 
 and when trying to validate the ticket in /validate endpoint the answer is: yes, numerical ID and what I need is that it be the email and not an ID.
 

I am using pac4j for delegated auth and in cas.propertie I have tried the following configurations:
 
cas.authn.attribute.release.enabled=true
cas.authn.authentication-attribute-release.enabled=true
cas.authn.pac4j.saml[].principal-id-attribute: email
as.authn.jaas[].principal.use-existing-principal-id: email

but none of them manage to get the ticket quality to respond with the email.


Well, I appreciate any help.
Reply all
Reply to author
Forward
0 new messages