CAS 6.2.x oauth client_credentials grant type jwt token custom claims/attributes

[Ken Hopkins]

I am using the oauth2 client-credentials grant type, and am having trouble figuring out how to add attributes into the generated JWT.

My service definition is:

[

  OAuthRegisteredService(
    super=AbstractRegisteredService(
      serviceId=abcdef,
      name=API Test,
      theme=null,
      informationUrl=null,
      privacyUrl=null,
      responseType=null,
      id=-8936606407628949180,
      description=null,
      expirationPolicy=DefaultRegisteredServiceExpirationPolicy(
        deleteWhenExpired=false,
        notifyWhenDeleted=false,
        notifyWhenExpired=false,
        expirationDate=null
      ),
      acceptableUsagePolicy=DefaultRegisteredServiceAcceptableUsagePolicy(
        enabled=true,
        messageCode=null,
        text=null
      ),
      proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1,
      proxyTicketExpirationPolicy=null,
      proxyGrantingTicketExpirationPolicy=null,
      serviceTicketExpirationPolicy=null,
      singleSignOnParticipationPolicy=null,
      evaluationOrder=0,
      usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@87297e2,
      logoutType=BACK_CHANNEL,
      environments=[],
      attributeReleasePolicy=ReturnAllowedAttributeReleasePolicy(
        super=AbstractRegisteredServiceAttributeReleasePolicy(
          attributeFilter=null,
          principalAttributesRepository=DefaultPrincipalAttributesRepository(),
          consentPolicy=DefaultRegisteredServiceConsentPolicy(
            enabled=true,
            excludedAttributes=null,
            includeOnlyAttributes=null,
            order=0
          ),
          authorizedToReleaseCredentialPassword=false,
          authorizedToReleaseProxyGrantingTicket=false,
          excludeDefaultAttributes=false,
          authorizedToReleaseAuthenticationAttributes=true,
          principalIdAttribute=null,
          order=0
        ),
        allowedAttributes=[myName]
      ),
      multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(
        multifactorAuthenticationProviders=[],
        failureMode=UNDEFINED,
        principalAttributeNameTrigger=null,
        principalAttributeValueToMatch=null,
        bypassEnabled=false,
        forceExecution=false,
        bypassTrustedDeviceEnabled=false,
        bypassPrincipalAttributeName=null,
        bypassPrincipalAttributeValue=null,
        script=null
      ),
      logo=null,
      logoutUrl=null,
      redirectUrl=null,
      accessStrategy=DefaultRegisteredServiceAccessStrategy(
        order=0,
        enabled=true,
        ssoEnabled=true,
        unauthorizedRedirectUrl=null,
        delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(
          allowedProviders=[],
          permitUndefined=true,
          exclusive=false
        ),
        requireAllAttributes=true,
        requiredAttributes={},
        rejectedAttributes={},
        caseInsensitive=false
      ),
      publicKey=null,
      authenticationPolicy=DefaultRegisteredServiceAuthenticationPolicy(
        requiredAuthenticationHandlers=[],
        criteria=AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria(
          tryAll=false
        )
      ),
      properties={
        permissions=DefaultRegisteredServiceProperty(values=[1373037743]),
        claims=DefaultRegisteredServiceProperty(values=[1366926713]),
        accessTokenAsJwtSigningKey=DefaultRegisteredServiceProperty(
          values=[classpath:/etc/cas/config/cas-private.key]
        ),
        accessTokenAsJwtSigningEnabled=DefaultRegisteredServiceProperty(
          values=[true]
        ),
        myName=DefaultRegisteredServiceProperty(values=[583852201])
      },
      contacts=[]
    ),
    clientSecret=def,
    clientId=abc,
    bypassApprovalPrompt=false,
    generateRefreshToken=false,
    renewRefreshToken=false,
    jwtAccessToken=true,
    codeExpirationPolicy=null,
    accessTokenExpirationPolicy=null,
    refreshTokenExpirationPolicy=null,
    deviceTokenExpirationPolicy=null,
    supportedGrantTypes=[client_credentials],
    supportedResponseTypes=[]
  )
]
The jwt token that gets created is:

{
  "sub": "abc",
  "oauthClientId": "abc",
  "roles":[],
  "iss": "https://localhost:7001/cas",
  "nonce": "",
  "client_id": "abc",
  "aud": "abc",
  "grant_type": "CLIENT_CREDENTIALS",
  "permissions":[],
  "scope":[],
  "claims":[],
  "scopes":[],
  "state": "",
  "exp": 1628045011,
  "iat": 1628016211,
  "jti": "AT-2-vjOSaRnTRYfARo-fX-ZVsDB-dLVLjBRz"
}

As a test I'm trying to get a property myName to show up in the jwt token.  I'm ultimately trying to populate the permissions property.

When using other grant types such as password, I'm able add custom attributes to the jwt token just fine.  I'm using REST authentication, so I can just return custom attributes in the response to CAS's login call.  However, since CAS doesn't make a REST authentication call for client_credentials, that technique doesn't help here.  In this case, I'm using a RESTful Service Registry (https://apereo.github.io/cas/6.3.x/services/REST-Service-Management.html) in case that's relevant.

Thanks for any ideas or insights,

Ken

[Ray Bon]

Ken,

Try this logger to see what cas is collecting as attributes:

        <!-- DEBUG Found principal attributes [...] for [username]

                   Attribute policy [???] allows release of [...] for [username]

                   Final collection of attributes allowed are: [...] -->

        <AsyncLogger name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy" level="debug"/>

Ray

On Tue, 2021-08-03 at 12:57 -0700, 'Ken Hopkins' via CAS Community wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

[Hopkins, Kenneth E]

Thanks for the reply Ray.  I did have TRACE​ level debugging on, so I was getting those log messages.  However, I hadn't really paid attention to them.

2021-08-04 09:44:54,124 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Initiating attributes release phase for principal [abc] accessing service [AbstractWebApplicationService(id=abc, originalUrl=abc, artifactId=null, principal=null, source=null, loggedOutAlready=false, format=XML, attributes={})] defined by registered service [abcdef]...>

2021-08-04 09:44:54,124 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Locating principal attributes for [abc]>

2021-08-04 09:44:54,124 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Loading global principal attribute repository with caching policies...>

2021-08-04 09:44:54,124 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Using principal attribute repository [DefaultPrincipalAttributesRepository()] to retrieve attributes>

2021-08-04 09:44:54,124 DEBUG [org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository] - <Using [abc], no caching takes place for [DefaultPrincipalAttributesRepository] to add attributes.>

2021-08-04 09:44:54,124 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Found principal attributes [{oauthClientId=[abc]}] for [abc]>

2021-08-04 09:44:54,124 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Located application context. Retrieving attribute definition store and attribute definitions...>

2021-08-04 09:44:54,124 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <No attribute definitions are defined in the attribute definition store>

2021-08-04 09:44:54,124 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Resolved principal attributes [{oauthClientId=[abc]}] for [abc] from attribute definition store>

2021-08-04 09:44:54,124 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Calling attribute policy [ReturnAllAttributeReleasePolicy] to process attributes for [abc]>

2021-08-04 09:44:54,124 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attribute policy [ReturnAllAttributeReleasePolicy] allows release of [{oauthClientId=[abc]}] for [abc]>

2021-08-04 09:44:54,124 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attempting to merge policy attributes and default attributes>

2021-08-04 09:44:54,124 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Checking default attribute policy attributes>

2021-08-04 09:44:54,124 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Located application context. Retrievin2021-08-04 09:44:54,124 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Initiating attributes release phase for principal [abc] accessing service [AbstractWebApplicationService(id=abc, originalUrl=abc, artifactId=null, principal=null, source=null, loggedOutAlready=false, format=XML, attributes={})] defined by registered service [abcdef]...>

2021-08-04 09:44:54,124 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Locating principal attributes for [abc]>

2021-08-04 09:44:54,124 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Loading global principal attribute repository with caching policies...>

2021-08-04 09:44:54,124 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Using principal attribute repository [DefaultPrincipalAttributesRepository()] to retrieve attributes>

2021-08-04 09:44:54,124 DEBUG [org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository] - <Using [abc], no caching takes place for [DefaultPrincipalAttributesRepository] to add attributes.>

2021-08-04 09:44:54,124 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Found principal attributes [{oauthClientId=[abc]}] for [abc]>

2021-08-04 09:44:54,124 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Located application context. Retrieving attribute definition store and attribute definitions...>

2021-08-04 09:44:54,124 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <No attribute definitions are defined in the attribute definition store>

2021-08-04 09:44:54,124 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Resolved principal attributes [{oauthClientId=[abc]}] for [abc] from attribute definition store>

2021-08-04 09:44:54,124 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Calling attribute policy [ReturnAllAttributeReleasePolicy] to process attributes for [abc]>

2021-08-04 09:44:54,124 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attribute policy [ReturnAllAttributeReleasePolicy] allows release of [{oauthClientId=[abc]}] for [abc]>

2021-08-04 09:44:54,124 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attempting to merge policy attributes and default attributes>

2021-08-04 09:44:54,124 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Checking default attribute policy attributes>

2021-08-04 09:44:54,124 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Located application context. Retrieving default attributes for release, if any>

2021-08-04 09:44:54,124 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes for release are: [[]]>

2021-08-04 09:44:54,124 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes found to be released are [{}]>

2021-08-04 09:44:54,124 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding policy attributes to the released set of attributes>

2021-08-04 09:44:54,124 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Finalizing attributes release phase for principal [abc] accessing service [AbstractWebApplicationService(id=abc, originalUrl=abc, artifactId=null, principal=null, source=null, loggedOutAlready=false, format=XML, attributes={})] defined by registered service [abcdef]...>

2021-08-04 09:44:54,124 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Final collection of attributes allowed are: [{oauthClientId=[abc]}]>g default attributes for release, if any>

2021-08-04 09:44:54,124 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes for release are: [[]]>

2021-08-04 09:44:54,124 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes found to be released are [{}]>

2021-08-04 09:44:54,124 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding policy attributes to the released set of attributes>

2021-08-04 09:44:54,124 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Finalizing attributes release phase for principal [abc] accessing service [AbstractWebApplicationService(id=abc, originalUrl=abc, artifactId=null, principal=null, source=null, loggedOutAlready=false, format=XML, attributes={})] defined by registered service [abcdef]...>

2021-08-04 09:44:54,124 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Final collection of attributes allowed are: [{oauthClientId=[abc]}]>

I think what I'm having trouble understanding is where the principal attributes are coming from, and how I can define more attributes for it to find.  The one attribute that it found oauthClientId​ seems to be a built-in attribute.

---

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Ray Bon <rb...@uvic.ca>
Sent: Tuesday, August 3, 2021 4:26 PM
To: cas-...@apereo.org <cas-...@apereo.org>
Subject: Re: [cas-user] CAS 6.2.x oauth client_credentials grant type jwt token custom claims/attributes

 

Caution, this email may be from a sender outside Wolters Kluwer. Verify the sender and know the content is safe.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/cVW85fe1aVU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1aaa3f07540070d001ebaca2fe208fcb0722857f.camel%40uvic.ca.

[Ken Hopkins]

I'm still digging around trying to figure it out.  I'm making some progress, I think, but I'm still not able to get custom attributes into the JWT.  Is this expected?  Am I still missing something?  I wrote my own custom PrincipalAttributesRepository, and it does get called and does return custom attributes.

2021-08-06 16:26:35,491 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Initiating attributes release phase for principal [ghi] accessing service [AbstractWebApplicationService(id=ghi, originalUrl=ghi, artifactId=null, principal=null, source=null, loggedOutAlready=false, format=XML, attributes={})] defined by registered service [^test$]...>

2021-08-06 16:26:35,491 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Locating principal attributes for [ghi]>
2021-08-06 16:26:35,491 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Loading global principal attribute repository with caching policies...>
2021-08-06 16:26:35,491 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Using principal attribute repository [ClientCredentialsPrincipalAttributesRepository@7a6d06de] to retrieve attributes>
2021-08-06 16:26:35,491 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Found principal attributes [{permissions=[12345], myName=[myNameValue]}] for [ghi]>
2021-08-06 16:26:35,491 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Located application context. Retrieving attribute definition store and attribute definitions...>
2021-08-06 16:26:35,494 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Resolved principal attributes [{permissions=[12345], myName=[myNameValue]}] for [ghi] from attribute definition store>
2021-08-06 16:26:35,494 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Calling attribute policy [ReturnAllAttributeReleasePolicy] to process attributes for [ghi]>
2021-08-06 16:26:35,494 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attribute policy [ReturnAllAttributeReleasePolicy] allows release of [{permissions=[12345], myName=[myNameValue]}] for [ghi]>
2021-08-06 16:26:35,494 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attempting to merge policy attributes and default attributes>
2021-08-06 16:26:35,494 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Checking default attribute policy attributes>
2021-08-06 16:26:35,494 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Located application context. Retrieving default attributes for release, if any>
2021-08-06 16:26:35,495 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes for release are: [[]]>
2021-08-06 16:26:35,496 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes found to be released are [{}]>
2021-08-06 16:26:35,496 TRACE [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding policy attributes to the released set of attributes>
2021-08-06 16:26:35,496 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Finalizing attributes release phase for principal [ghi] accessing service [AbstractWebApplicationService(id=ghi, originalUrl=ghi, artifactId=null, principal=null, source=null, loggedOutAlready=false, format=XML, attributes={})] defined by registered service [^test$]...>
2021-08-06 16:26:35,496 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Final collection of attributes allowed are: [{myName=[myNameValue], permissions=[12345]}]>
2021-08-06 16:26:35,496 TRACE [org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy] - <Skipping access strategy policy, since no attributes rules are defined>
2021-08-06 16:26:35,496 TRACE [org.apereo.cas.audit.spi.principal.ThreadLocalPrincipalResolver] - <Resolving principal at audit point [execution(AuditableExecutionResult org.apereo.cas.services.RegisteredServiceAccessStrategyAuditableEnforcer.execute(AuditableContext))]>
2021-08-06 16:26:35,496 TRACE [org.apereo.cas.audit.spi.FilterAndDelegateAuditTrailManager] - <Recording audit action context [org.apereo.inspektr.audit.AuditActionContext@4675cdb6]>
2021-08-06 16:26:35,496 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [result=Service Access Granted,service=ghi,principal=SimplePrincipal(id=ghi, attributes={oauthClientId=[ghi]}),requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Aug 06 16:26:35 EDT 2021
CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1%0
SERVER IP ADDRESS: 192.168.0.111
=============================================================

>
2021-08-06 16:26:35,506 TRACE [org.apereo.cas.ticket.factory.DefaultTicketGrantingTicketFactory] - <Attempting to encode ticket-granting ticket [TGT-1-*****H9mO1PiUVdvy-EIABTzqA-https://localhost:7001]>
2021-08-06 16:26:35,506 TRACE [org.apereo.cas.ticket.factory.DefaultTicketGrantingTicketFactory] - <Encoded ticket-granting ticket id [TGT-1-*****H9mO1PiUVdvy-EIABTzqA-https://localhost:7001]>
2021-08-06 16:26:35,507 DEBUG [org.apereo.cas.ticket.expiration.builder.TicketGrantingTicketExpirationPolicyBuilder] - <Ticket-granting ticket expiration policy is based on hard/idle timeouts of [28800]/[7200] seconds>
2021-08-06 16:26:35,508 DEBUG [org.apereo.cas.ticket.expiration.builder.TicketGrantingTicketExpirationPolicyBuilder] - <Final effective time-to-live of ticket-granting ticket expiration policy is [28800] seconds>
2021-08-06 16:26:35,508 TRACE [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Ticket encryption is not enabled. Falling back to default behavior>
2021-08-06 16:26:35,508 DEBUG [org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - <Added ticket [TGT-1-*****H9mO1PiUVdvy-EIABTzqA-https://localhost:7001] to registry.>
2021-08-06 16:26:35,509 TRACE [org.apereo.cas.AbstractCentralAuthenticationService] - <Publishing [CasTicketGrantingTicketCreatedEvent(super=AbstractCasTicketGrantingTicketEvent(super=AbstractCasEvent(), ticketGrantingTicket=TGT-1-*****H9mO1PiUVdvy-EIABTzqA-https://localhost:7001))]>
2021-08-06 16:26:35,509 TRACE [org.apereo.cas.audit.spi.principal.ThreadLocalPrincipalResolver] - <Resolving principal at audit point [execution(TicketGrantingTicket org.apereo.cas.DefaultCentralAuthenticationService.createTicketGrantingTicket(AuthenticationResult))]>
2021-08-06 16:26:35,510 TRACE [org.apereo.cas.audit.spi.FilterAndDelegateAuditTrailManager] - <Recording audit action context [org.apereo.inspektr.audit.AuditActionContext@3a4b439c]>
2021-08-06 16:26:35,510 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: ghi
WHAT: TGT-1-*****H9mO1PiUVdvy-EIABTzqA-https://localhost:7001
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Aug 06 16:26:35 EDT 2021
CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1%0
SERVER IP ADDRESS: 192.168.0.111
=============================================================

>
2021-08-06 16:26:35,510 TRACE [org.apereo.cas.audit.spi.principal.ThreadLocalPrincipalResolver] - <Resolving principal at audit point [execution(AuditableExecutionResult org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenGrantAuditableRequestExtractor.execute(AuditableContext))]>
2021-08-06 16:26:35,510 TRACE [org.apereo.cas.audit.spi.FilterAndDelegateAuditTrailManager] - <Recording audit action context [org.apereo.inspektr.audit.AuditActionContext@75d09df2]>
2021-08-06 16:26:35,510 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: ghi
WHAT: [token=N/A,client_id=ghi,service=ghi,grant_type=client_credentials,response_type=none,scopes=[]]
ACTION: OAUTH2_ACCESS_TOKEN_REQUEST_CREATED
APPLICATION: CAS
WHEN: Fri Aug 06 16:26:35 EDT 2021
CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1%0
SERVER IP ADDRESS: 192.168.0.111
=============================================================

>

...

2021-08-06 16:26:35,586 DEBUG [org.apereo.cas.token.JwtBuilder] - <Generated JWT [
{
  "sub": "ghi",
  "oauthClientId": "ghi",

  "roles":[],
  "iss": "https://localhost:7001/cas",
  "nonce": "",

  "client_id": "ghi",
  "aud": "ghi",

  "grant_type": "CLIENT_CREDENTIALS",
  "permissions":[],
  "scope":[],
  "claims":[],
  "scopes":[],
  "state": "",

  "exp": 1628310395,
  "iat": 1628281595,
  "jti": "AT-1-lO4LvHl0OIPK2ndyOuPZbw6sctfAf0I-"
}]>