cas.authn.oidc.core.include-id-token-claims=true
As per OpenID Connect Core section 5.4, "The Claims requested by the profile
, email
, address
, and phone
scope values are returned from the userinfo endpoint", except for response_type
=id_token
, where they are returned in the id_token (as there is no access token issued that could be used to access the userinfo endpoint). The Claims requested by the profile, email, address, and phone scope values are returned from the userinfo endpoint when a response_type
value is used that results in an access token being issued. However, when no access token is issued (which is the case for the response_type
value id_token
), the resulting Claims are returned in the ID Token.
Setting this flag to true will force CAS to include claims in the ID token regardless of the response type. Note that this setting MUST ONLY be used as a last resort, to stay compliant with the specification as much as possible. DO NOT use this setting without due consideration.
Note that this setting is set to true
by default mainly provided to preserve backward compatibility with previous CAS versions that included claims into the ID token without considering the response type. The behavior of this setting may change and it may be removed in future CAS releases.
You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/gqYDgnT2T5o/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALRGK0qskgHk3fpbRKEqJ1CHZNYHByEJQjFj9%2BSyk%2BBMOr2V8g%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAENLzaZSxDzKvXzD99ukkb1bKCSskyqm36znAVB5sJSKk1DJbw%40mail.gmail.com.
so the attributes in your claims-map do not have value, so the IDToken does have value.
"attributeReleasePolicy" : {
"@class": "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes": {
"@class": "java.util.TreeMap",
"mail": "email",
"cn": "name",
"sn": "family_name",
"givenName": "given_name"
}
}
{
"cn": "John Doe",
"email": "jd...@example.edu",
"family_name": "Doe",
"given_name": "John",
"mail": "jd...@example.edu",
"name": "John Doe",
"sub": "jdoe",
"service": "https://cas.example.edu/account/idplogin",
"auth_time": 1647958411,
"id": "jdoe",
"client_id": "local-o...@example.edu"
}