Ken,
Try this logger to see what cas is collecting as attributes:
<!-- DEBUG Found principal attributes [...] for [username]
Attribute policy [???] allows release of [...] for [username]
Final collection of attributes allowed are: [...] -->
<AsyncLogger
name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy"
level="debug"/>
Ray
On Tue, 2021-08-03 at 12:57 -0700, 'Ken Hopkins' via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
I am using the oauth2 client-credentials grant type, and am having trouble
figuring out how to add attributes into the generated JWT.
My service definition is:
[
OAuthRegisteredService(
super=AbstractRegisteredService(
serviceId=abcdef,
name=API Test,
theme=null,
informationUrl=null,
privacyUrl=null,
responseType=null,
id=-8936606407628949180,
description=null,
expirationPolicy=DefaultRegisteredServiceExpirationPolicy(
deleteWhenExpired=false,
notifyWhenDeleted=false,
notifyWhenExpired=false,
expirationDate=null
),
acceptableUsagePolicy=DefaultRegisteredServiceAcceptableUsagePolicy(
enabled=true,
messageCode=null,
text=null
),
proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1,
proxyTicketExpirationPolicy=null,
proxyGrantingTicketExpirationPolicy=null,
serviceTicketExpirationPolicy=null,
singleSignOnParticipationPolicy=null,
evaluationOrder=0,
usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@87297e2,
logoutType=BACK_CHANNEL,
environments=[],
attributeReleasePolicy=ReturnAllowedAttributeReleasePolicy(
super=AbstractRegisteredServiceAttributeReleasePolicy(
attributeFilter=null,
principalAttributesRepository=DefaultPrincipalAttributesRepository(),
consentPolicy=DefaultRegisteredServiceConsentPolicy(
enabled=true,
excludedAttributes=null,
includeOnlyAttributes=null,
order=0
),
authorizedToReleaseCredentialPassword=false,
authorizedToReleaseProxyGrantingTicket=false,
excludeDefaultAttributes=false,
authorizedToReleaseAuthenticationAttributes=true,
principalIdAttribute=null,
order=0
),
allowedAttributes=[myName]
),
multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(
multifactorAuthenticationProviders=[],
failureMode=UNDEFINED,
principalAttributeNameTrigger=null,
principalAttributeValueToMatch=null,
bypassEnabled=false,
forceExecution=false,
bypassTrustedDeviceEnabled=false,
bypassPrincipalAttributeName=null,
bypassPrincipalAttributeValue=null,
script=null
),
logo=null,
logoutUrl=null,
redirectUrl=null,
accessStrategy=DefaultRegisteredServiceAccessStrategy(
order=0,
enabled=true,
ssoEnabled=true,
unauthorizedRedirectUrl=null,
delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(
allowedProviders=[],
permitUndefined=true,
exclusive=false
),
requireAllAttributes=true,
requiredAttributes={},
rejectedAttributes={},
caseInsensitive=false
),
publicKey=null,
authenticationPolicy=DefaultRegisteredServiceAuthenticationPolicy(
requiredAuthenticationHandlers=[],
criteria=AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria(
tryAll=false
)
),
properties={
permissions=DefaultRegisteredServiceProperty(values=[1373037743]),
claims=DefaultRegisteredServiceProperty(values=[1366926713]),
accessTokenAsJwtSigningKey=DefaultRegisteredServiceProperty(
values=[classpath:/etc/cas/config/cas-private.key]
),
accessTokenAsJwtSigningEnabled=DefaultRegisteredServiceProperty(
values=[true]
),
myName=DefaultRegisteredServiceProperty(values=[583852201])
},
contacts=[]
),
clientSecret=def,
clientId=abc,
bypassApprovalPrompt=false,
generateRefreshToken=false,
renewRefreshToken=false,
jwtAccessToken=true,
codeExpirationPolicy=null,
accessTokenExpirationPolicy=null,
refreshTokenExpirationPolicy=null,
deviceTokenExpirationPolicy=null,
supportedGrantTypes=[client_credentials],
supportedResponseTypes=[]
)
]
The jwt token that gets created is:
{
"sub": "abc",
"oauthClientId": "abc",
"roles":[],
"iss": "https://localhost:7001/cas";,
"nonce": "",
"client_id": "abc",
"aud": "abc",
"grant_type": "CLIENT_CREDENTIALS",
"permissions":[],
"scope":[],
"claims":[],
"scopes":[],
"state": "",
"exp": 1628045011,
"iat": 1628016211,
"jti": "AT-2-vjOSaRnTRYfARo-fX-ZVsDB-dLVLjBRz"
}
As a test I'm trying to get a property myName to show up in the jwt token. I'm
ultimately trying to populate the permissions property.
When using other grant types such as password, I'm able add custom attributes
to the jwt token just fine. I'm using REST authentication, so I can just
return custom attributes in the response to CAS's login call. However, since
CAS doesn't make a REST authentication call for client_credentials, that
technique doesn't help here. In this case, I'm using a RESTful Service
Registry
(https://apereo.github.io/cas/6.3.x/services/REST-Service-Management.html) in
case that's relevant.
Thanks for any ideas or insights,
Ken
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1aaa3f07540070d001ebaca2fe208fcb0722857f.camel%40uvic.ca.
