Hi Frédéric, Thanks for the reply. In our case the claims are being included in the ID Token, they just don't have the names we mapped and instead have the names as they come from our attribute store. We are using `respone_type=code` and a `scope=openid`.
I had not tried `cas.authn.oidc.core.include-id-token-claims=true` since the docs mentioned that is the default setting. I just tested again with it set to `true` and there is no change, the claims appear in the ID Token but not with the desired names. I also tried with it set to `false` and in that case the claims did not appear in the ID Token. John On Tue, Jan 11, 2022 at 12:57 AM Frédéric Lohier <frede...@lohier.org> wrote: > Hello, > > Have you tried to set cas.authn.oidc.core.include-id-token-claims=true ? > > According to OIDC spec, if you are using response-type=code , the id_token > should not contain the user claims. But, if you are using > response_type=id_token, then the id_token should include the user claims. > According to CAS 6.4 doc, if you set > cas.authn.oidc.core.include-id-token-claims=true , it will force the > release of user claims in the id_token. > However, in my tests with CAS 6.4.4.2, even with response_type=id_token, > user claims are not included in the id_token (tried to GET an URL like > https://mycasserver.com/cas/oidc/oidcAuthorize?response_type=id_token&client_id=myclient&scope=openid%20profile%20email&redirect_uri=https://serviceredirecturi). > Not a blocker for me for the moment, but if you find a fix, I'm interested. > > Here is the relevant documentation : > https://apereo.github.io/cas/6.4.x/authentication/OIDC-Authentication-Claims.html#configuration > > - cas.authn.oidc.core.include-id-token-claims=true > > As per OpenID Connect Core section 5.4, "The Claims requested by the > profile, email, address, and phone scope values are returned from the > userinfo endpoint", except for response_type=id_token, where they are > returned in the id_token (as there is no access token issued that could be > used to access the userinfo endpoint). The Claims requested by the profile, > email, address, and phone scope values are returned from the userinfo > endpoint when a response_type value is used that results in an access > token being issued. However, when no access token is issued (which is the > case for the response_type value id_token), the resulting Claims are > returned in the ID Token. > > Setting this flag to true will force CAS to include claims in the ID token > regardless of the response type. Note that this setting MUST ONLY be used > as a last resort, to stay compliant with the specification as much as > possible. DO NOT use this setting without due consideration. > > Note that this setting is set to true by default mainly provided to > preserve backward compatibility with previous CAS versions that included > claims into the ID token without considering the response type. The > behavior of this setting may change and it may be removed in future CAS > releases. > > On Tue, Jan 11, 2022 at 5:28 AM John Wagenleitner < > joh...@mail.fresnostate.edu> wrote: > >> In CAS v6.3 (up to and including v6.3.7.4) we used the >> `cas.authn.oidc.claims-map` properties to map our LDAP attribute names to >> the standard claim names. This mapping worked for both the ID Token and the >> UserInfo (`/profile`) endpoint. >> >> Here are the relevant properties we have set: >> >> ``` >> cas.authn.oidc.discovery.scopes=openid,profile,email >> cas.authn.oidc.discovery.claims=sub,name,family_name,given_name,email >> cas.authn.oidc.core.claims-map.email=mail >> cas.authn.oidc.core.claims-map.name=cn >> cas.authn.oidc.core.claims-map.family_name=sn >> cas.authn.oidc.core.claims-map.given_name=givenName >> ``` >> >> This mapping is no longer working in CAS v6.4 (and also tested in the >> latest v6.4.4.2) for the generated ID Token. Our ID Token claims no longer >> contain the mapped names but instead contain the LDAP attribute names such >> as `mail`, `cn`, etc. The UserInfo endpoint does correctly contain the >> mapped claim names. >> >> As a possible workaround, I tried using a service definition that >> included an `attributeReleasePolicy` using the >> `ReturnMappedAttributeReleasePolicy` class but that had no affect on the ID >> Token claim names. >> >> I have reviewed all the OIDC settings and didn't spot anything that looks >> like it would address this issue. >> >> Any help/advice would be appreciated, >> John >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cas-user+unsubscr...@apereo.org. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/fdf662f8-e990-4b9a-b22a-57a6c643e0b1n%40apereo.org >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/fdf662f8-e990-4b9a-b22a-57a6c643e0b1n%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to a topic in the > Google Groups "CAS Community" group. > To unsubscribe from this topic, visit > https://groups.google.com/a/apereo.org/d/topic/cas-user/gqYDgnT2T5o/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALRGK0qskgHk3fpbRKEqJ1CHZNYHByEJQjFj9%2BSyk%2BBMOr2V8g%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALRGK0qskgHk3fpbRKEqJ1CHZNYHByEJQjFj9%2BSyk%2BBMOr2V8g%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAON9TV3_S0GygUt_ip4nxujf8r7M-b0_%2BLXbYsDVs7XcN_ocuw%40mail.gmail.com.
