Thanks for the reply Ray. I did have TRACE level debugging on, so I was
getting those log messages. However, I hadn't really paid attention to them.
2021-08-04 09:44:54,124 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Initiating attributes release phase for principal [abc] accessing service
[AbstractWebApplicationService(id=abc, originalUrl=abc, artifactId=null,
principal=null, source=null, loggedOutAlready=false, format=XML,
attributes={})] defined by registered service [abcdef]...>
2021-08-04 09:44:54,124 TRACE
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Locating principal attributes for [abc]>
2021-08-04 09:44:54,124 TRACE
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Loading global principal attribute repository with caching policies...>
2021-08-04 09:44:54,124 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Using principal attribute repository [DefaultPrincipalAttributesRepository()]
to retrieve attributes>
2021-08-04 09:44:54,124 DEBUG
[org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository]
- <Using [abc], no caching takes place for
[DefaultPrincipalAttributesRepository] to add attributes.>
2021-08-04 09:44:54,124 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Found principal attributes [{oauthClientId=[abc]}] for [abc]>
2021-08-04 09:44:54,124 TRACE
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Located application context. Retrieving attribute definition store and
attribute definitions...>
2021-08-04 09:44:54,124 TRACE
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <No
attribute definitions are defined in the attribute definition store>
2021-08-04 09:44:54,124 TRACE
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Resolved principal attributes [{oauthClientId=[abc]}] for [abc] from attribute
definition store>
2021-08-04 09:44:54,124 TRACE
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Calling attribute policy [ReturnAllAttributeReleasePolicy] to process
attributes for [abc]>
2021-08-04 09:44:54,124 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Attribute policy [ReturnAllAttributeReleasePolicy] allows release of
[{oauthClientId=[abc]}] for [abc]>
2021-08-04 09:44:54,124 TRACE
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Attempting to merge policy attributes and default attributes>
2021-08-04 09:44:54,124 TRACE
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Checking default attribute policy attributes>
2021-08-04 09:44:54,124 TRACE
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Located application context. Retrievin2021-08-04 09:44:54,124 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Initiating attributes release phase for principal [abc] accessing service
[AbstractWebApplicationService(id=abc, originalUrl=abc, artifactId=null,
principal=null, source=null, loggedOutAlready=false, format=XML,
attributes={})] defined by registered service [abcdef]...>
2021-08-04 09:44:54,124 TRACE
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Locating principal attributes for [abc]>
2021-08-04 09:44:54,124 TRACE
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Loading global principal attribute repository with caching policies...>
2021-08-04 09:44:54,124 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Using principal attribute repository [DefaultPrincipalAttributesRepository()]
to retrieve attributes>
2021-08-04 09:44:54,124 DEBUG
[org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository]
- <Using [abc], no caching takes place for
[DefaultPrincipalAttributesRepository] to add attributes.>
2021-08-04 09:44:54,124 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Found principal attributes [{oauthClientId=[abc]}] for [abc]>
2021-08-04 09:44:54,124 TRACE
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Located application context. Retrieving attribute definition store and
attribute definitions...>
2021-08-04 09:44:54,124 TRACE
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <No
attribute definitions are defined in the attribute definition store>
2021-08-04 09:44:54,124 TRACE
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Resolved principal attributes [{oauthClientId=[abc]}] for [abc] from attribute
definition store>
2021-08-04 09:44:54,124 TRACE
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Calling attribute policy [ReturnAllAttributeReleasePolicy] to process
attributes for [abc]>
2021-08-04 09:44:54,124 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Attribute policy [ReturnAllAttributeReleasePolicy] allows release of
[{oauthClientId=[abc]}] for [abc]>
2021-08-04 09:44:54,124 TRACE
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Attempting to merge policy attributes and default attributes>
2021-08-04 09:44:54,124 TRACE
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Checking default attribute policy attributes>
2021-08-04 09:44:54,124 TRACE
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Located application context. Retrieving default attributes for release, if any>
2021-08-04 09:44:54,124 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Default attributes for release are: [[]]>
2021-08-04 09:44:54,124 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Default attributes found to be released are [{}]>
2021-08-04 09:44:54,124 TRACE
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Adding policy attributes to the released set of attributes>
2021-08-04 09:44:54,124 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Finalizing attributes release phase for principal [abc] accessing service
[AbstractWebApplicationService(id=abc, originalUrl=abc, artifactId=null,
principal=null, source=null, loggedOutAlready=false, format=XML,
attributes={})] defined by registered service [abcdef]...>
2021-08-04 09:44:54,124 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Final collection of attributes allowed are: [{oauthClientId=[abc]}]>g default
attributes for release, if any>
2021-08-04 09:44:54,124 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Default attributes for release are: [[]]>
2021-08-04 09:44:54,124 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Default attributes found to be released are [{}]>
2021-08-04 09:44:54,124 TRACE
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Adding policy attributes to the released set of attributes>
2021-08-04 09:44:54,124 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Finalizing attributes release phase for principal [abc] accessing service
[AbstractWebApplicationService(id=abc, originalUrl=abc, artifactId=null,
principal=null, source=null, loggedOutAlready=false, format=XML,
attributes={})] defined by registered service [abcdef]...>
2021-08-04 09:44:54,124 DEBUG
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] -
<Final collection of attributes allowed are: [{oauthClientId=[abc]}]>
I think what I'm having trouble understanding is where the principal attributes
are coming from, and how I can define more attributes for it to find. The one
attribute that it found oauthClientId seems to be a built-in attribute.
________________________________
From: [email protected] <[email protected]> on behalf of Ray Bon
<[email protected]>
Sent: Tuesday, August 3, 2021 4:26 PM
To: [email protected] <[email protected]>
Subject: Re: [cas-user] CAS 6.2.x oauth client_credentials grant type jwt token
custom claims/attributes
Caution, this email may be from a sender outside Wolters Kluwer. Verify the
sender and know the content is safe.
Ken,
Try this logger to see what cas is collecting as attributes:
<!-- DEBUG Found principal attributes [...] for [username]
Attribute policy [???] allows release of [...] for [username]
Final collection of attributes allowed are: [...] -->
<AsyncLogger
name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy"
level="debug"/>
Ray
On Tue, 2021-08-03 at 12:57 -0700, 'Ken Hopkins' via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
I am using the oauth2 client-credentials grant type, and am having trouble
figuring out how to add attributes into the generated JWT.
My service definition is:
[
OAuthRegisteredService(
super=AbstractRegisteredService(
serviceId=abcdef,
name=API Test,
theme=null,
informationUrl=null,
privacyUrl=null,
responseType=null,
id=-8936606407628949180,
description=null,
expirationPolicy=DefaultRegisteredServiceExpirationPolicy(
deleteWhenExpired=false,
notifyWhenDeleted=false,
notifyWhenExpired=false,
expirationDate=null
),
acceptableUsagePolicy=DefaultRegisteredServiceAcceptableUsagePolicy(
enabled=true,
messageCode=null,
text=null
),
proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1,
proxyTicketExpirationPolicy=null,
proxyGrantingTicketExpirationPolicy=null,
serviceTicketExpirationPolicy=null,
singleSignOnParticipationPolicy=null,
evaluationOrder=0,
usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@87297e2,
logoutType=BACK_CHANNEL,
environments=[],
attributeReleasePolicy=ReturnAllowedAttributeReleasePolicy(
super=AbstractRegisteredServiceAttributeReleasePolicy(
attributeFilter=null,
principalAttributesRepository=DefaultPrincipalAttributesRepository(),
consentPolicy=DefaultRegisteredServiceConsentPolicy(
enabled=true,
excludedAttributes=null,
includeOnlyAttributes=null,
order=0
),
authorizedToReleaseCredentialPassword=false,
authorizedToReleaseProxyGrantingTicket=false,
excludeDefaultAttributes=false,
authorizedToReleaseAuthenticationAttributes=true,
principalIdAttribute=null,
order=0
),
allowedAttributes=[myName]
),
multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(
multifactorAuthenticationProviders=[],
failureMode=UNDEFINED,
principalAttributeNameTrigger=null,
principalAttributeValueToMatch=null,
bypassEnabled=false,
forceExecution=false,
bypassTrustedDeviceEnabled=false,
bypassPrincipalAttributeName=null,
bypassPrincipalAttributeValue=null,
script=null
),
logo=null,
logoutUrl=null,
redirectUrl=null,
accessStrategy=DefaultRegisteredServiceAccessStrategy(
order=0,
enabled=true,
ssoEnabled=true,
unauthorizedRedirectUrl=null,
delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(
allowedProviders=[],
permitUndefined=true,
exclusive=false
),
requireAllAttributes=true,
requiredAttributes={},
rejectedAttributes={},
caseInsensitive=false
),
publicKey=null,
authenticationPolicy=DefaultRegisteredServiceAuthenticationPolicy(
requiredAuthenticationHandlers=[],
criteria=AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria(
tryAll=false
)
),
properties={
permissions=DefaultRegisteredServiceProperty(values=[1373037743]),
claims=DefaultRegisteredServiceProperty(values=[1366926713]),
accessTokenAsJwtSigningKey=DefaultRegisteredServiceProperty(
values=[classpath:/etc/cas/config/cas-private.key]
),
accessTokenAsJwtSigningEnabled=DefaultRegisteredServiceProperty(
values=[true]
),
myName=DefaultRegisteredServiceProperty(values=[583852201])
},
contacts=[]
),
clientSecret=def,
clientId=abc,
bypassApprovalPrompt=false,
generateRefreshToken=false,
renewRefreshToken=false,
jwtAccessToken=true,
codeExpirationPolicy=null,
accessTokenExpirationPolicy=null,
refreshTokenExpirationPolicy=null,
deviceTokenExpirationPolicy=null,
supportedGrantTypes=[client_credentials],
supportedResponseTypes=[]
)
]
The jwt token that gets created is:
{
"sub": "abc",
"oauthClientId": "abc",
"roles":[],
"iss": "https://localhost:7001/cas";,
"nonce": "",
"client_id": "abc",
"aud": "abc",
"grant_type": "CLIENT_CREDENTIALS",
"permissions":[],
"scope":[],
"claims":[],
"scopes":[],
"state": "",
"exp": 1628045011,
"iat": 1628016211,
"jti": "AT-2-vjOSaRnTRYfARo-fX-ZVsDB-dLVLjBRz"
}
As a test I'm trying to get a property myName to show up in the jwt token. I'm
ultimately trying to populate the permissions property.
When using other grant types such as password, I'm able add custom attributes
to the jwt token just fine. I'm using REST authentication, so I can just
return custom attributes in the response to CAS's login call. However, since
CAS doesn't make a REST authentication call for client_credentials, that
technique doesn't help here. In this case, I'm using a RESTful Service
Registry
(https://apereo.github.io/cas/6.3.x/services/REST-Service-Management.html) in
case that's relevant.
Thanks for any ideas or insights,
Ken
--
- Website:
https://apereo.github.io/cas<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapereo.github.io%2Fcas&data=04%7C01%7CKenneth.E.Hopkins%40wolterskluwer.com%7C7a5f9c96bf574848c85c08d956bd0c62%7C8ac76c91e7f141ffa89c3553b2da2c17%7C0%7C0%7C637636192239274784%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=jJ1kMlyNIH9wA0kOAP62lNpjWIRcM2xZ%2F5qgugwuK8M%3D&reserved=0>
- Gitter Chatroom:
https://gitter.im/apereo/cas<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitter.im%2Fapereo%2Fcas&data=04%7C01%7CKenneth.E.Hopkins%40wolterskluwer.com%7C7a5f9c96bf574848c85c08d956bd0c62%7C8ac76c91e7f141ffa89c3553b2da2c17%7C0%7C0%7C637636192239284741%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=UcFFBpm0nlEIntjmpcHDHBqJ9MNzUF0St3EgBuZBKlg%3D&reserved=0>
- List Guidelines:
https://goo.gl/1VRrw7<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgoo.gl%2F1VRrw7&data=04%7C01%7CKenneth.E.Hopkins%40wolterskluwer.com%7C7a5f9c96bf574848c85c08d956bd0c62%7C8ac76c91e7f141ffa89c3553b2da2c17%7C0%7C0%7C637636192239284741%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=bROhGHTrXSfunBx2hftVX4jVad3Ebluaku7kfS6KfoU%3D&reserved=0>
- Contributions:
https://goo.gl/mh7qDG<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgoo.gl%2Fmh7qDG&data=04%7C01%7CKenneth.E.Hopkins%40wolterskluwer.com%7C7a5f9c96bf574848c85c08d956bd0c62%7C8ac76c91e7f141ffa89c3553b2da2c17%7C0%7C0%7C637636192239294694%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=DKp9JURNZQHwzTA6r4oyrGlLK5vIZ%2FTaQYrZAS%2Bmfic%3D&reserved=0>
---
You received this message because you are subscribed to a topic in the Google
Groups "CAS Community" group.
To unsubscribe from this topic, visit
https://groups.google.com/a/apereo.org/d/topic/cas-user/cVW85fe1aVU/unsubscribe<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fapereo.org%2Fd%2Ftopic%2Fcas-user%2FcVW85fe1aVU%2Funsubscribe&data=04%7C01%7CKenneth.E.Hopkins%40wolterskluwer.com%7C7a5f9c96bf574848c85c08d956bd0c62%7C8ac76c91e7f141ffa89c3553b2da2c17%7C0%7C0%7C637636192239294694%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=WRTBWIBxYxgMK4kujgr1yBfVPwKTAKNbAphL8%2FlrHMI%3D&reserved=0>.
To unsubscribe from this group and all its topics, send an email to
[email protected]<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1aaa3f07540070d001ebaca2fe208fcb0722857f.camel%40uvic.ca<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fapereo.org%2Fd%2Fmsgid%2Fcas-user%2F1aaa3f07540070d001ebaca2fe208fcb0722857f.camel%2540uvic.ca%3Futm_medium%3Demail%26utm_source%3Dfooter&data=04%7C01%7CKenneth.E.Hopkins%40wolterskluwer.com%7C7a5f9c96bf574848c85c08d956bd0c62%7C8ac76c91e7f141ffa89c3553b2da2c17%7C0%7C0%7C637636192239294694%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=0qKyxi1Fmqx0Ww9iq18xLSkND31ZCMF4BlqEq2d8D3U%3D&reserved=0>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/SJ0PR06MB714862AB2A0F73B64BEAD8B2B9F19%40SJ0PR06MB7148.namprd06.prod.outlook.com.
