Re: [cas-user] CAS 6.2.1 OpenID Connect OP attribute release issues
Thank you Jerome. i will try that.
What is your configuration in the Service file?
On Thu, Aug 27, 2020 at 10:21 AM Jérôme Steve
wrote:
> Hi Nikolas,
>
> For me senario A should be put claims on the attributes and on the top
> level.
> My configuration :
>
> # Supported scopes
> cas.authn.oidc.scopes=openid,profile,email,address,phone,profile_test
>
> # Supported claims
> cas.authn.oidc.claims=sub,name,preferred_username,family_name, \
> given_name,middle_name,given_name,profile, \
> picture,nickname,website,zoneinfo,locale,updated_at,birthdate, \
> email,email_verified,phone_number,phone_number_verified,address, \
> claim_test
>
> cas.authn.oidc.userDefinedScopes.profile_test=claim_test
> cas.authn.oidc.claimsMap.claim_test=attr_test
>
> That it.
>
> output :
>
> {
> ...
> "claim_test": "test_value",
> ...
> "attributes": {
> "claim_test": "test_value"
> },
> ...
> }
>
> Jérôme.
>
>
> Le jeu. 27 août 2020 à 08:36, Nikolas Stylianides
> a écrit :
>
>> Hi Jerome.
>> Tried that.
>> No change. It still includes the claims in the "attributes" fields of the
>> JSON information it sends back.
>>
>>
>> Check 2 scenarios with conifgurations i have tried.
>> Its really strange. I cannot actually understand how it resolves claims.
>> Can you please provide me from the configuration files and the services
>> you have only the part that SCOPES and CLAIMS are concerned?
>> Thank you in advance.
>>
>>
>> *[Scenario A](#scenario-a)
>> *[Scenario B](#scenario-b)
>>
>> # Scenario A
>> ## Settings
>> ```
>> cas.authn.oidc.user-defined-scopes.myownscope=email,given_name,preferred_username
>> cas.authn.oidc.claimsMap.email=mail
>> cas.authn.oidc.claimsMap.given_name=givenName
>> ```
>> ## Outcome
>> ```
>> {
>> "sub": "username",
>> "service": "c44c3fc514202ac9a8cc5cf6437c1c21",
>> "auth_time": 1598508832,
>> "attributes": {
>> "email": "a...@gmail.com",
>> "given_name": "TestMe"
>> },
>> "id": "username",
>> "client_id": "c44c3fc514202ac9a8cc5cf6437c1c21"
>> }
>> ```
>> ## Debug CAS
>> > [{email=[a...@gmail.com], given_name=[TestMe],
>> oauthClientId=[c44c3fc514202ac9a8cc5cf6437c1c21]}] do not contain this
>> attribute>
>> > attributes [{email=[a...@gmail.com], given_name=[TestMe],
>> oauthClientId=[c44c3fc514202ac9a8cc5cf6437c1c21]}] do not contain this
>> attribute>
>>
>>
>> # Scenario B
>>
>> ##Settings
>> ```
>> cas.authn.oidc.user-defined-scopes.myownscope=mail,givenName
>> cas.authn.oidc.claimsMap.email=mail
>> cas.authn.oidc.claimsMap.given_name=givenName
>> ```
>> ## Outcome
>>
>> ```
>> {
>> "sub": "username",
>> "service": "c44c3fc514202ac9a8cc5cf6437c1c21",
>> "auth_time": 1598509383,
>> "attributes": {
>> "email": "a...@gmail.com",
>> "given_name": "TestMe",
>> "givenName": "TestMe",
>> "mail": "a...@gmail.com"
>> },
>> "id": "username",
>> "client_id": "c44c3fc514202ac9a8cc5cf6437c1c21"
>> }
>> ```
>>
>> ## Debug CAS
>> no complaining for missing attributes
>>
>>
>> On Wed, Aug 26, 2020 at 6:38 PM Jérôme Steve
>> wrote:
>>
>>> Hi,
>>>
>>> Yes I chek it this afternoon, and effectively I have it too. Sorry for
>>> that, I never had to use it ...
>>>
>>> Your problem is here :
>>> cas.authn.oidc.userDefinedScopes.myownscopes=mail,givenName
>>>
>>> cas.authn.oidc.userDefinedScopes.myownscopes=email,given_name
>>> cas.authn.oidc.claimsMap.email=mail
>>> cas.authn.oidc.claimsMap.given_name=givenName
>>>
>>> In your userDefinedScopes.myownscopes you have to specify claims and not
>>> attributes directly.
>>>
>>> Jérôme.
>>>
>>> Le mer. 26 août 2020 à 11:49, Nikolas Stylianides <
>>> nstyliani...@gmail.com> a écrit :
>>>
Hi Jerome.
I have deployed 6.1 and the behavior is the same.
Claims are nested in "attributes".
Can you please share with me your configuration?
Maybe i miss something.
On Wed, Aug 26, 2020 at 10:39 AM Jérôme Steve
wrote:
> Hi Nikolas,
>
> I have no idea sorry. It works like excepted in 6.1.
>
> Jérôme.
>
> Le mer. 26 août 2020 à 06:19, Nikolas Stylianides <
> nstyliani...@gmail.com> a écrit :
>
>> Hi Jerome.
>> Any ideas about this?
>> Anyone else from the developer team?
>> Is this a bug of 6.2.x or a feature?
>>
>>
>> On Tue, Aug 25, 2020 at 1:55 PM Nikolas Stylianides <
>> nstyliani...@gmail.com> wrote:
>>
>>> Hi Jerome.
>>> Just tried that. See my service configuration below.
>>> The same outcome.
>>>
>>> {
>>> "@class" : "org.apereo.cas.services.OidcRegisteredService",
>>> "serviceId" : "...",
>>> "name" : "servicename",
>>> "id" : 105,
>>> "clientId": "...",
>>> "clientSecret": "...",
>>> "supportedGrantTypes":[ "java.util.HashSet",
>>>
>>> ["AUTHORIZATION_CODE","CLIENT_CREDENTIALS","PASSWORD","REFRESH_TOKEN"]
>>> ],
>>> "scopes": [ "java.u
Re: [cas-user] CAS 6.2.1 OpenID Connect OP attribute release issues
Hi Nikolas,
For me senario A should be put claims on the attributes and on the top
level.
My configuration :
# Supported scopes
cas.authn.oidc.scopes=openid,profile,email,address,phone,profile_test
# Supported claims
cas.authn.oidc.claims=sub,name,preferred_username,family_name, \
given_name,middle_name,given_name,profile, \
picture,nickname,website,zoneinfo,locale,updated_at,birthdate, \
email,email_verified,phone_number,phone_number_verified,address, \
claim_test
cas.authn.oidc.userDefinedScopes.profile_test=claim_test
cas.authn.oidc.claimsMap.claim_test=attr_test
That it.
output :
{
...
"claim_test": "test_value",
...
"attributes": {
"claim_test": "test_value"
},
...
}
Jérôme.
Le jeu. 27 août 2020 à 08:36, Nikolas Stylianides
a écrit :
> Hi Jerome.
> Tried that.
> No change. It still includes the claims in the "attributes" fields of the
> JSON information it sends back.
>
>
> Check 2 scenarios with conifgurations i have tried.
> Its really strange. I cannot actually understand how it resolves claims.
> Can you please provide me from the configuration files and the services
> you have only the part that SCOPES and CLAIMS are concerned?
> Thank you in advance.
>
>
> *[Scenario A](#scenario-a)
> *[Scenario B](#scenario-b)
>
> # Scenario A
> ## Settings
> ```
> cas.authn.oidc.user-defined-scopes.myownscope=email,given_name,preferred_username
> cas.authn.oidc.claimsMap.email=mail
> cas.authn.oidc.claimsMap.given_name=givenName
> ```
> ## Outcome
> ```
> {
> "sub": "username",
> "service": "c44c3fc514202ac9a8cc5cf6437c1c21",
> "auth_time": 1598508832,
> "attributes": {
> "email": "a...@gmail.com",
> "given_name": "TestMe"
> },
> "id": "username",
> "client_id": "c44c3fc514202ac9a8cc5cf6437c1c21"
> }
> ```
> ## Debug CAS
> [{email=[a...@gmail.com], given_name=[TestMe],
> oauthClientId=[c44c3fc514202ac9a8cc5cf6437c1c21]}] do not contain this
> attribute>
> attributes [{email=[a...@gmail.com], given_name=[TestMe],
> oauthClientId=[c44c3fc514202ac9a8cc5cf6437c1c21]}] do not contain this
> attribute>
>
>
> # Scenario B
>
> ##Settings
> ```
> cas.authn.oidc.user-defined-scopes.myownscope=mail,givenName
> cas.authn.oidc.claimsMap.email=mail
> cas.authn.oidc.claimsMap.given_name=givenName
> ```
> ## Outcome
>
> ```
> {
> "sub": "username",
> "service": "c44c3fc514202ac9a8cc5cf6437c1c21",
> "auth_time": 1598509383,
> "attributes": {
> "email": "a...@gmail.com",
> "given_name": "TestMe",
> "givenName": "TestMe",
> "mail": "a...@gmail.com"
> },
> "id": "username",
> "client_id": "c44c3fc514202ac9a8cc5cf6437c1c21"
> }
> ```
>
> ## Debug CAS
> no complaining for missing attributes
>
>
> On Wed, Aug 26, 2020 at 6:38 PM Jérôme Steve
> wrote:
>
>> Hi,
>>
>> Yes I chek it this afternoon, and effectively I have it too. Sorry for
>> that, I never had to use it ...
>>
>> Your problem is here :
>> cas.authn.oidc.userDefinedScopes.myownscopes=mail,givenName
>>
>> cas.authn.oidc.userDefinedScopes.myownscopes=email,given_name
>> cas.authn.oidc.claimsMap.email=mail
>> cas.authn.oidc.claimsMap.given_name=givenName
>>
>> In your userDefinedScopes.myownscopes you have to specify claims and not
>> attributes directly.
>>
>> Jérôme.
>>
>> Le mer. 26 août 2020 à 11:49, Nikolas Stylianides
>> a écrit :
>>
>>> Hi Jerome.
>>> I have deployed 6.1 and the behavior is the same.
>>> Claims are nested in "attributes".
>>> Can you please share with me your configuration?
>>> Maybe i miss something.
>>>
>>> On Wed, Aug 26, 2020 at 10:39 AM Jérôme Steve
>>> wrote:
>>>
Hi Nikolas,
I have no idea sorry. It works like excepted in 6.1.
Jérôme.
Le mer. 26 août 2020 à 06:19, Nikolas Stylianides <
nstyliani...@gmail.com> a écrit :
> Hi Jerome.
> Any ideas about this?
> Anyone else from the developer team?
> Is this a bug of 6.2.x or a feature?
>
>
> On Tue, Aug 25, 2020 at 1:55 PM Nikolas Stylianides <
> nstyliani...@gmail.com> wrote:
>
>> Hi Jerome.
>> Just tried that. See my service configuration below.
>> The same outcome.
>>
>> {
>> "@class" : "org.apereo.cas.services.OidcRegisteredService",
>> "serviceId" : "...",
>> "name" : "servicename",
>> "id" : 105,
>> "clientId": "...",
>> "clientSecret": "...",
>> "supportedGrantTypes":[ "java.util.HashSet",
>>
>> ["AUTHORIZATION_CODE","CLIENT_CREDENTIALS","PASSWORD","REFRESH_TOKEN"]
>> ],
>> "scopes": [ "java.util.HashSet",[ "openid","profile", "email" ]],
>> "supportedResponseTypes":[ "java.util.HashSet", [
>> "code","token","id_token","id_token token","code token" ] ],
>> "theme": "apereo",
>> "description" : "This service definition allows authorized
>> applications that support HTTPS protocol.",
>> "evaluationOrder" : 10,
>> "accessStrateg
Re: [cas-user] CAS 6.2.1 OpenID Connect OP attribute release issues
Hi Jerome.
Tried that.
No change. It still includes the claims in the "attributes" fields of the
JSON information it sends back.
Check 2 scenarios with conifgurations i have tried.
Its really strange. I cannot actually understand how it resolves claims.
Can you please provide me from the configuration files and the services you
have only the part that SCOPES and CLAIMS are concerned?
Thank you in advance.
*[Scenario A](#scenario-a)
*[Scenario B](#scenario-b)
# Scenario A
## Settings
```
cas.authn.oidc.user-defined-scopes.myownscope=email,given_name,preferred_username
cas.authn.oidc.claimsMap.email=mail
cas.authn.oidc.claimsMap.given_name=givenName
```
## Outcome
```
{
"sub": "username",
"service": "c44c3fc514202ac9a8cc5cf6437c1c21",
"auth_time": 1598508832,
"attributes": {
"email": "a...@gmail.com",
"given_name": "TestMe"
},
"id": "username",
"client_id": "c44c3fc514202ac9a8cc5cf6437c1c21"
}
```
## Debug CAS
# Scenario B
##Settings
```
cas.authn.oidc.user-defined-scopes.myownscope=mail,givenName
cas.authn.oidc.claimsMap.email=mail
cas.authn.oidc.claimsMap.given_name=givenName
```
## Outcome
```
{
"sub": "username",
"service": "c44c3fc514202ac9a8cc5cf6437c1c21",
"auth_time": 1598509383,
"attributes": {
"email": "a...@gmail.com",
"given_name": "TestMe",
"givenName": "TestMe",
"mail": "a...@gmail.com"
},
"id": "username",
"client_id": "c44c3fc514202ac9a8cc5cf6437c1c21"
}
```
## Debug CAS
no complaining for missing attributes
On Wed, Aug 26, 2020 at 6:38 PM Jérôme Steve wrote:
> Hi,
>
> Yes I chek it this afternoon, and effectively I have it too. Sorry for
> that, I never had to use it ...
>
> Your problem is here :
> cas.authn.oidc.userDefinedScopes.myownscopes=mail,givenName
>
> cas.authn.oidc.userDefinedScopes.myownscopes=email,given_name
> cas.authn.oidc.claimsMap.email=mail
> cas.authn.oidc.claimsMap.given_name=givenName
>
> In your userDefinedScopes.myownscopes you have to specify claims and not
> attributes directly.
>
> Jérôme.
>
> Le mer. 26 août 2020 à 11:49, Nikolas Stylianides
> a écrit :
>
>> Hi Jerome.
>> I have deployed 6.1 and the behavior is the same.
>> Claims are nested in "attributes".
>> Can you please share with me your configuration?
>> Maybe i miss something.
>>
>> On Wed, Aug 26, 2020 at 10:39 AM Jérôme Steve
>> wrote:
>>
>>> Hi Nikolas,
>>>
>>> I have no idea sorry. It works like excepted in 6.1.
>>>
>>> Jérôme.
>>>
>>> Le mer. 26 août 2020 à 06:19, Nikolas Stylianides <
>>> nstyliani...@gmail.com> a écrit :
>>>
Hi Jerome.
Any ideas about this?
Anyone else from the developer team?
Is this a bug of 6.2.x or a feature?
On Tue, Aug 25, 2020 at 1:55 PM Nikolas Stylianides <
nstyliani...@gmail.com> wrote:
> Hi Jerome.
> Just tried that. See my service configuration below.
> The same outcome.
>
> {
> "@class" : "org.apereo.cas.services.OidcRegisteredService",
> "serviceId" : "...",
> "name" : "servicename",
> "id" : 105,
> "clientId": "...",
> "clientSecret": "...",
> "supportedGrantTypes":[ "java.util.HashSet",
>
> ["AUTHORIZATION_CODE","CLIENT_CREDENTIALS","PASSWORD","REFRESH_TOKEN"]
> ],
> "scopes": [ "java.util.HashSet",[ "openid","profile", "email" ]],
> "supportedResponseTypes":[ "java.util.HashSet", [
> "code","token","id_token","id_token token","code token" ] ],
> "theme": "apereo",
> "description" : "This service definition allows authorized
> applications that support HTTPS protocol.",
> "evaluationOrder" : 10,
> "accessStrategy" : {
> "@class" :
> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
> "enabled" : true,
> "ssoEnabled" : true
> }
> }
>
>
>
> On Tue, Aug 25, 2020 at 12:03 AM Jérôme Steve
> wrote:
>
>> Hi Nikolas,
>>
>> Si after looking tour configuration, nom it's not "normal". Claims
>> should ne appear on thé top level ans not un an attributs claims.
>>
>> First, try to remove your attributeReleasePolicy un you service.json.
>>
>> Also I haven't test 6.2, I'm still In 6.1. So maybe it's an
>> improvement, but " "attributes" it's not a standard claims un OIDC ...
>>
>>
>>
>> Le dim. 23 août 2020 à 07:39, Nikolas Stylianides <
>> nstyliani...@gmail.com> a écrit :
>>
>>> Hi Jerome. Please find below the configuration file and the service
>>> file.
>>>
>>> Service File
>>> =
>>>
>>>
>>> {
>>> "@class" : "org.apereo.cas.services.OidcRegisteredService",
>>> "serviceId" : "...",
>>> "name" : "MYSERVICE",
>>> "id" : 105,
>>> "clientId": "...",
>>> "clientSecret": "...",
>>> "supportedGrantTypes":[ "java.util.HashSet",
>>>
>>> ["AUTHORIZATION_CODE","CLIENT_CREDENTIA
Re: [cas-user] CAS 6.2.1 OpenID Connect OP attribute release issues
Hi,
Yes I chek it this afternoon, and effectively I have it too. Sorry for
that, I never had to use it ...
Your problem is here :
cas.authn.oidc.userDefinedScopes.myownscopes=mail,givenName
cas.authn.oidc.userDefinedScopes.myownscopes=email,given_name
cas.authn.oidc.claimsMap.email=mail
cas.authn.oidc.claimsMap.given_name=givenName
In your userDefinedScopes.myownscopes you have to specify claims and not
attributes directly.
Jérôme.
Le mer. 26 août 2020 à 11:49, Nikolas Stylianides
a écrit :
> Hi Jerome.
> I have deployed 6.1 and the behavior is the same.
> Claims are nested in "attributes".
> Can you please share with me your configuration?
> Maybe i miss something.
>
> On Wed, Aug 26, 2020 at 10:39 AM Jérôme Steve
> wrote:
>
>> Hi Nikolas,
>>
>> I have no idea sorry. It works like excepted in 6.1.
>>
>> Jérôme.
>>
>> Le mer. 26 août 2020 à 06:19, Nikolas Stylianides
>> a écrit :
>>
>>> Hi Jerome.
>>> Any ideas about this?
>>> Anyone else from the developer team?
>>> Is this a bug of 6.2.x or a feature?
>>>
>>>
>>> On Tue, Aug 25, 2020 at 1:55 PM Nikolas Stylianides <
>>> nstyliani...@gmail.com> wrote:
>>>
Hi Jerome.
Just tried that. See my service configuration below.
The same outcome.
{
"@class" : "org.apereo.cas.services.OidcRegisteredService",
"serviceId" : "...",
"name" : "servicename",
"id" : 105,
"clientId": "...",
"clientSecret": "...",
"supportedGrantTypes":[ "java.util.HashSet",
["AUTHORIZATION_CODE","CLIENT_CREDENTIALS","PASSWORD","REFRESH_TOKEN"]
],
"scopes": [ "java.util.HashSet",[ "openid","profile", "email" ]],
"supportedResponseTypes":[ "java.util.HashSet", [
"code","token","id_token","id_token token","code token" ] ],
"theme": "apereo",
"description" : "This service definition allows authorized
applications that support HTTPS protocol.",
"evaluationOrder" : 10,
"accessStrategy" : {
"@class" :
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true
}
}
On Tue, Aug 25, 2020 at 12:03 AM Jérôme Steve
wrote:
> Hi Nikolas,
>
> Si after looking tour configuration, nom it's not "normal". Claims
> should ne appear on thé top level ans not un an attributs claims.
>
> First, try to remove your attributeReleasePolicy un you service.json.
>
> Also I haven't test 6.2, I'm still In 6.1. So maybe it's an
> improvement, but " "attributes" it's not a standard claims un OIDC ...
>
>
>
> Le dim. 23 août 2020 à 07:39, Nikolas Stylianides <
> nstyliani...@gmail.com> a écrit :
>
>> Hi Jerome. Please find below the configuration file and the service
>> file.
>>
>> Service File
>> =
>>
>>
>> {
>> "@class" : "org.apereo.cas.services.OidcRegisteredService",
>> "serviceId" : "...",
>> "name" : "MYSERVICE",
>> "id" : 105,
>> "clientId": "...",
>> "clientSecret": "...",
>> "supportedGrantTypes":[ "java.util.HashSet",
>>
>> ["AUTHORIZATION_CODE","CLIENT_CREDENTIALS","PASSWORD","REFRESH_TOKEN"]
>> ],
>> "scopes": [ "java.util.HashSet",[ "openid","profile",
>> "email","myownscope" ]],
>> "supportedResponseTypes":[ "java.util.HashSet", [
>> "code","token","id_token","id_token token","code token" ] ],
>> "theme": "apereo",
>> "description" : "This service definition allows authorized
>> applications that support HTTPS protocol.",
>> "evaluationOrder" : 10,
>> "attributeReleasePolicy" : {
>> "@class" :
>> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
>> "allowedAttributes" : {
>> "@class" : "java.util.TreeMap",
>> "givenName" : "givenName",
>> "mail" : "mail",
>> "cn":"profile",
>>
>> }
>> },
>> "accessStrategy" : {
>> "@class" :
>> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
>> "enabled" : true,
>> "ssoEnabled" : true
>> }
>> }
>>
>> LDAP Configuration
>>
>>
>> cas.authn.ldap[0].principal-attribute-list=sn,cn,givenName,mail,c,l,telephoneNumber
>>
>> OID Connect configuration (the ones that are related to claims)
>>
>> cas.authn.oidc.subject-types=public
>>
>> cas.authn.oidc.scopes=myownscope,openid,profile,email,address,phone,offline_access
>>
>> cas.authn.oidc.claims=mail,givenName,sub,name,preferred_username,family_name,given_name,middle_name,given_name,profile,picture,nickname,website,zoneinfo,locale,updated_at,birthdate,email,email_verified,phone_number,phone_number_verified
>> cas.authn.oidc.userDefinedScopes.myownscopes=mail,givenName
>>
>> # Add more claims. They will appear in the "at
Re: [cas-user] CAS 6.2.1 OpenID Connect OP attribute release issues
Hi Jerome.
I have deployed 6.1 and the behavior is the same.
Claims are nested in "attributes".
Can you please share with me your configuration?
Maybe i miss something.
On Wed, Aug 26, 2020 at 10:39 AM Jérôme Steve
wrote:
> Hi Nikolas,
>
> I have no idea sorry. It works like excepted in 6.1.
>
> Jérôme.
>
> Le mer. 26 août 2020 à 06:19, Nikolas Stylianides
> a écrit :
>
>> Hi Jerome.
>> Any ideas about this?
>> Anyone else from the developer team?
>> Is this a bug of 6.2.x or a feature?
>>
>>
>> On Tue, Aug 25, 2020 at 1:55 PM Nikolas Stylianides <
>> nstyliani...@gmail.com> wrote:
>>
>>> Hi Jerome.
>>> Just tried that. See my service configuration below.
>>> The same outcome.
>>>
>>> {
>>> "@class" : "org.apereo.cas.services.OidcRegisteredService",
>>> "serviceId" : "...",
>>> "name" : "servicename",
>>> "id" : 105,
>>> "clientId": "...",
>>> "clientSecret": "...",
>>> "supportedGrantTypes":[ "java.util.HashSet",
>>>
>>> ["AUTHORIZATION_CODE","CLIENT_CREDENTIALS","PASSWORD","REFRESH_TOKEN"]
>>> ],
>>> "scopes": [ "java.util.HashSet",[ "openid","profile", "email" ]],
>>> "supportedResponseTypes":[ "java.util.HashSet", [
>>> "code","token","id_token","id_token token","code token" ] ],
>>> "theme": "apereo",
>>> "description" : "This service definition allows authorized
>>> applications that support HTTPS protocol.",
>>> "evaluationOrder" : 10,
>>> "accessStrategy" : {
>>> "@class" :
>>> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
>>> "enabled" : true,
>>> "ssoEnabled" : true
>>> }
>>> }
>>>
>>>
>>>
>>> On Tue, Aug 25, 2020 at 12:03 AM Jérôme Steve
>>> wrote:
>>>
Hi Nikolas,
Si after looking tour configuration, nom it's not "normal". Claims
should ne appear on thé top level ans not un an attributs claims.
First, try to remove your attributeReleasePolicy un you service.json.
Also I haven't test 6.2, I'm still In 6.1. So maybe it's an
improvement, but " "attributes" it's not a standard claims un OIDC ...
Le dim. 23 août 2020 à 07:39, Nikolas Stylianides <
nstyliani...@gmail.com> a écrit :
> Hi Jerome. Please find below the configuration file and the service
> file.
>
> Service File
> =
>
>
> {
> "@class" : "org.apereo.cas.services.OidcRegisteredService",
> "serviceId" : "...",
> "name" : "MYSERVICE",
> "id" : 105,
> "clientId": "...",
> "clientSecret": "...",
> "supportedGrantTypes":[ "java.util.HashSet",
>
> ["AUTHORIZATION_CODE","CLIENT_CREDENTIALS","PASSWORD","REFRESH_TOKEN"]
> ],
> "scopes": [ "java.util.HashSet",[ "openid","profile",
> "email","myownscope" ]],
> "supportedResponseTypes":[ "java.util.HashSet", [
> "code","token","id_token","id_token token","code token" ] ],
> "theme": "apereo",
> "description" : "This service definition allows authorized
> applications that support HTTPS protocol.",
> "evaluationOrder" : 10,
> "attributeReleasePolicy" : {
> "@class" :
> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
> "allowedAttributes" : {
> "@class" : "java.util.TreeMap",
> "givenName" : "givenName",
> "mail" : "mail",
> "cn":"profile",
>
> }
> },
> "accessStrategy" : {
> "@class" :
> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
> "enabled" : true,
> "ssoEnabled" : true
> }
> }
>
> LDAP Configuration
>
>
> cas.authn.ldap[0].principal-attribute-list=sn,cn,givenName,mail,c,l,telephoneNumber
>
> OID Connect configuration (the ones that are related to claims)
>
> cas.authn.oidc.subject-types=public
>
> cas.authn.oidc.scopes=myownscope,openid,profile,email,address,phone,offline_access
>
> cas.authn.oidc.claims=mail,givenName,sub,name,preferred_username,family_name,given_name,middle_name,given_name,profile,picture,nickname,website,zoneinfo,locale,updated_at,birthdate,email,email_verified,phone_number,phone_number_verified
> cas.authn.oidc.userDefinedScopes.myownscopes=mail,givenName
>
> # Add more claims. They will appear in the "attributes" claim.
> #
> cas.authn.oidc.claimsMap.email=mail
> #cas.authn.oidc.claimsMap.preferred_username=given_name
> cas.authn.oidc.claimsMap.given_name=givenName
>
>
>
>
>
>
> On Sat, Aug 22, 2020 at 6:33 PM Nikolas Stylianides <
> nstyliani...@gmail.com> wrote:
>
>> I will send you the configuration files.
>> I am not declaring any attribute claim.
>>
>> email is both a scope and a claim.
>>
>>
>> Στις Σάβ, 22 Αυγ 2020, 16:35 ο χρήστης Jérôme Steve <
>> jerome.st...@gmail.com> έγραψε:
>>
>>> If you définie a custom clami "attributes" it's normal
Re: [cas-user] CAS 6.2.1 OpenID Connect OP attribute release issues
Hi Nikolas,
I have no idea sorry. It works like excepted in 6.1.
Jérôme.
Le mer. 26 août 2020 à 06:19, Nikolas Stylianides
a écrit :
> Hi Jerome.
> Any ideas about this?
> Anyone else from the developer team?
> Is this a bug of 6.2.x or a feature?
>
>
> On Tue, Aug 25, 2020 at 1:55 PM Nikolas Stylianides <
> nstyliani...@gmail.com> wrote:
>
>> Hi Jerome.
>> Just tried that. See my service configuration below.
>> The same outcome.
>>
>> {
>> "@class" : "org.apereo.cas.services.OidcRegisteredService",
>> "serviceId" : "...",
>> "name" : "servicename",
>> "id" : 105,
>> "clientId": "...",
>> "clientSecret": "...",
>> "supportedGrantTypes":[ "java.util.HashSet",
>> ["AUTHORIZATION_CODE","CLIENT_CREDENTIALS","PASSWORD","REFRESH_TOKEN"]
>> ],
>> "scopes": [ "java.util.HashSet",[ "openid","profile", "email" ]],
>> "supportedResponseTypes":[ "java.util.HashSet", [
>> "code","token","id_token","id_token token","code token" ] ],
>> "theme": "apereo",
>> "description" : "This service definition allows authorized applications
>> that support HTTPS protocol.",
>> "evaluationOrder" : 10,
>> "accessStrategy" : {
>> "@class" :
>> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
>> "enabled" : true,
>> "ssoEnabled" : true
>> }
>> }
>>
>>
>>
>> On Tue, Aug 25, 2020 at 12:03 AM Jérôme Steve
>> wrote:
>>
>>> Hi Nikolas,
>>>
>>> Si after looking tour configuration, nom it's not "normal". Claims
>>> should ne appear on thé top level ans not un an attributs claims.
>>>
>>> First, try to remove your attributeReleasePolicy un you service.json.
>>>
>>> Also I haven't test 6.2, I'm still In 6.1. So maybe it's an improvement,
>>> but " "attributes" it's not a standard claims un OIDC ...
>>>
>>>
>>>
>>> Le dim. 23 août 2020 à 07:39, Nikolas Stylianides <
>>> nstyliani...@gmail.com> a écrit :
>>>
Hi Jerome. Please find below the configuration file and the service
file.
Service File
=
{
"@class" : "org.apereo.cas.services.OidcRegisteredService",
"serviceId" : "...",
"name" : "MYSERVICE",
"id" : 105,
"clientId": "...",
"clientSecret": "...",
"supportedGrantTypes":[ "java.util.HashSet",
["AUTHORIZATION_CODE","CLIENT_CREDENTIALS","PASSWORD","REFRESH_TOKEN"]
],
"scopes": [ "java.util.HashSet",[ "openid","profile",
"email","myownscope" ]],
"supportedResponseTypes":[ "java.util.HashSet", [
"code","token","id_token","id_token token","code token" ] ],
"theme": "apereo",
"description" : "This service definition allows authorized
applications that support HTTPS protocol.",
"evaluationOrder" : 10,
"attributeReleasePolicy" : {
"@class" :
"org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"givenName" : "givenName",
"mail" : "mail",
"cn":"profile",
}
},
"accessStrategy" : {
"@class" :
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true
}
}
LDAP Configuration
cas.authn.ldap[0].principal-attribute-list=sn,cn,givenName,mail,c,l,telephoneNumber
OID Connect configuration (the ones that are related to claims)
cas.authn.oidc.subject-types=public
cas.authn.oidc.scopes=myownscope,openid,profile,email,address,phone,offline_access
cas.authn.oidc.claims=mail,givenName,sub,name,preferred_username,family_name,given_name,middle_name,given_name,profile,picture,nickname,website,zoneinfo,locale,updated_at,birthdate,email,email_verified,phone_number,phone_number_verified
cas.authn.oidc.userDefinedScopes.myownscopes=mail,givenName
# Add more claims. They will appear in the "attributes" claim.
#
cas.authn.oidc.claimsMap.email=mail
#cas.authn.oidc.claimsMap.preferred_username=given_name
cas.authn.oidc.claimsMap.given_name=givenName
On Sat, Aug 22, 2020 at 6:33 PM Nikolas Stylianides <
nstyliani...@gmail.com> wrote:
> I will send you the configuration files.
> I am not declaring any attribute claim.
>
> email is both a scope and a claim.
>
>
> Στις Σάβ, 22 Αυγ 2020, 16:35 ο χρήστης Jérôme Steve <
> jerome.st...@gmail.com> έγραψε:
>
>> If you définie a custom clami "attributes" it's normal i think.
>>
>> Show me your custuom configuration to be sure.
>>
>> Le sam. 22 août 2020 à 15:16, Nikolas Stylianides <
>> nstyliani...@gmail.com> a écrit :
>>
>>> I have gone this further.
>>> I declare a SCOPE of my own. With specific CLAIMS.
>>> And this claims are mapped to attributes.
>>>
>>> All claims appear in field "attribute
Re: [cas-user] CAS 6.2.1 OpenID Connect OP attribute release issues
Hi Jerome.
Any ideas about this?
Anyone else from the developer team?
Is this a bug of 6.2.x or a feature?
On Tue, Aug 25, 2020 at 1:55 PM Nikolas Stylianides
wrote:
> Hi Jerome.
> Just tried that. See my service configuration below.
> The same outcome.
>
> {
> "@class" : "org.apereo.cas.services.OidcRegisteredService",
> "serviceId" : "...",
> "name" : "servicename",
> "id" : 105,
> "clientId": "...",
> "clientSecret": "...",
> "supportedGrantTypes":[ "java.util.HashSet",
> ["AUTHORIZATION_CODE","CLIENT_CREDENTIALS","PASSWORD","REFRESH_TOKEN"]
> ],
> "scopes": [ "java.util.HashSet",[ "openid","profile", "email" ]],
> "supportedResponseTypes":[ "java.util.HashSet", [
> "code","token","id_token","id_token token","code token" ] ],
> "theme": "apereo",
> "description" : "This service definition allows authorized applications
> that support HTTPS protocol.",
> "evaluationOrder" : 10,
> "accessStrategy" : {
> "@class" :
> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
> "enabled" : true,
> "ssoEnabled" : true
> }
> }
>
>
>
> On Tue, Aug 25, 2020 at 12:03 AM Jérôme Steve
> wrote:
>
>> Hi Nikolas,
>>
>> Si after looking tour configuration, nom it's not "normal". Claims should
>> ne appear on thé top level ans not un an attributs claims.
>>
>> First, try to remove your attributeReleasePolicy un you service.json.
>>
>> Also I haven't test 6.2, I'm still In 6.1. So maybe it's an improvement,
>> but " "attributes" it's not a standard claims un OIDC ...
>>
>>
>>
>> Le dim. 23 août 2020 à 07:39, Nikolas Stylianides
>> a écrit :
>>
>>> Hi Jerome. Please find below the configuration file and the service file.
>>>
>>> Service File
>>> =
>>>
>>>
>>> {
>>> "@class" : "org.apereo.cas.services.OidcRegisteredService",
>>> "serviceId" : "...",
>>> "name" : "MYSERVICE",
>>> "id" : 105,
>>> "clientId": "...",
>>> "clientSecret": "...",
>>> "supportedGrantTypes":[ "java.util.HashSet",
>>>
>>> ["AUTHORIZATION_CODE","CLIENT_CREDENTIALS","PASSWORD","REFRESH_TOKEN"]
>>> ],
>>> "scopes": [ "java.util.HashSet",[ "openid","profile",
>>> "email","myownscope" ]],
>>> "supportedResponseTypes":[ "java.util.HashSet", [
>>> "code","token","id_token","id_token token","code token" ] ],
>>> "theme": "apereo",
>>> "description" : "This service definition allows authorized
>>> applications that support HTTPS protocol.",
>>> "evaluationOrder" : 10,
>>> "attributeReleasePolicy" : {
>>> "@class" :
>>> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
>>> "allowedAttributes" : {
>>> "@class" : "java.util.TreeMap",
>>> "givenName" : "givenName",
>>> "mail" : "mail",
>>> "cn":"profile",
>>>
>>> }
>>> },
>>> "accessStrategy" : {
>>> "@class" :
>>> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
>>> "enabled" : true,
>>> "ssoEnabled" : true
>>> }
>>> }
>>>
>>> LDAP Configuration
>>>
>>>
>>> cas.authn.ldap[0].principal-attribute-list=sn,cn,givenName,mail,c,l,telephoneNumber
>>>
>>> OID Connect configuration (the ones that are related to claims)
>>>
>>> cas.authn.oidc.subject-types=public
>>>
>>> cas.authn.oidc.scopes=myownscope,openid,profile,email,address,phone,offline_access
>>>
>>> cas.authn.oidc.claims=mail,givenName,sub,name,preferred_username,family_name,given_name,middle_name,given_name,profile,picture,nickname,website,zoneinfo,locale,updated_at,birthdate,email,email_verified,phone_number,phone_number_verified
>>> cas.authn.oidc.userDefinedScopes.myownscopes=mail,givenName
>>>
>>> # Add more claims. They will appear in the "attributes" claim.
>>> #
>>> cas.authn.oidc.claimsMap.email=mail
>>> #cas.authn.oidc.claimsMap.preferred_username=given_name
>>> cas.authn.oidc.claimsMap.given_name=givenName
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Sat, Aug 22, 2020 at 6:33 PM Nikolas Stylianides <
>>> nstyliani...@gmail.com> wrote:
>>>
I will send you the configuration files.
I am not declaring any attribute claim.
email is both a scope and a claim.
Στις Σάβ, 22 Αυγ 2020, 16:35 ο χρήστης Jérôme Steve <
jerome.st...@gmail.com> έγραψε:
> If you définie a custom clami "attributes" it's normal i think.
>
> Show me your custuom configuration to be sure.
>
> Le sam. 22 août 2020 à 15:16, Nikolas Stylianides <
> nstyliani...@gmail.com> a écrit :
>
>> I have gone this further.
>> I declare a SCOPE of my own. With specific CLAIMS.
>> And this claims are mapped to attributes.
>>
>> All claims appear in field "attributes" and not in the top hierarchy.
>> is this normal?
>>
>>
>>
>>
>>
>> On Sat, Aug 22, 2020 at 3:43 PM Nikolas Stylianides <
>> nstyliani...@gmail.com> wrote:
>>
>>> Hi Jerome. Keep in mind that my CAS release is 6.2.1.
>>>
>>> I have no attributes.username since I collect my attributes during
>>>
Re: [cas-user] CAS 6.2.1 OpenID Connect OP attribute release issues
Hi Jerome.
Just tried that. See my service configuration below.
The same outcome.
{
"@class" : "org.apereo.cas.services.OidcRegisteredService",
"serviceId" : "...",
"name" : "servicename",
"id" : 105,
"clientId": "...",
"clientSecret": "...",
"supportedGrantTypes":[ "java.util.HashSet",
["AUTHORIZATION_CODE","CLIENT_CREDENTIALS","PASSWORD","REFRESH_TOKEN"]
],
"scopes": [ "java.util.HashSet",[ "openid","profile", "email" ]],
"supportedResponseTypes":[ "java.util.HashSet", [
"code","token","id_token","id_token token","code token" ] ],
"theme": "apereo",
"description" : "This service definition allows authorized applications
that support HTTPS protocol.",
"evaluationOrder" : 10,
"accessStrategy" : {
"@class" :
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true
}
}
On Tue, Aug 25, 2020 at 12:03 AM Jérôme Steve
wrote:
> Hi Nikolas,
>
> Si after looking tour configuration, nom it's not "normal". Claims should
> ne appear on thé top level ans not un an attributs claims.
>
> First, try to remove your attributeReleasePolicy un you service.json.
>
> Also I haven't test 6.2, I'm still In 6.1. So maybe it's an improvement,
> but " "attributes" it's not a standard claims un OIDC ...
>
>
>
> Le dim. 23 août 2020 à 07:39, Nikolas Stylianides
> a écrit :
>
>> Hi Jerome. Please find below the configuration file and the service file.
>>
>> Service File
>> =
>>
>>
>> {
>> "@class" : "org.apereo.cas.services.OidcRegisteredService",
>> "serviceId" : "...",
>> "name" : "MYSERVICE",
>> "id" : 105,
>> "clientId": "...",
>> "clientSecret": "...",
>> "supportedGrantTypes":[ "java.util.HashSet",
>> ["AUTHORIZATION_CODE","CLIENT_CREDENTIALS","PASSWORD","REFRESH_TOKEN"]
>> ],
>> "scopes": [ "java.util.HashSet",[ "openid","profile",
>> "email","myownscope" ]],
>> "supportedResponseTypes":[ "java.util.HashSet", [
>> "code","token","id_token","id_token token","code token" ] ],
>> "theme": "apereo",
>> "description" : "This service definition allows authorized applications
>> that support HTTPS protocol.",
>> "evaluationOrder" : 10,
>> "attributeReleasePolicy" : {
>> "@class" :
>> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
>> "allowedAttributes" : {
>> "@class" : "java.util.TreeMap",
>> "givenName" : "givenName",
>> "mail" : "mail",
>> "cn":"profile",
>>
>> }
>> },
>> "accessStrategy" : {
>> "@class" :
>> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
>> "enabled" : true,
>> "ssoEnabled" : true
>> }
>> }
>>
>> LDAP Configuration
>>
>>
>> cas.authn.ldap[0].principal-attribute-list=sn,cn,givenName,mail,c,l,telephoneNumber
>>
>> OID Connect configuration (the ones that are related to claims)
>>
>> cas.authn.oidc.subject-types=public
>>
>> cas.authn.oidc.scopes=myownscope,openid,profile,email,address,phone,offline_access
>>
>> cas.authn.oidc.claims=mail,givenName,sub,name,preferred_username,family_name,given_name,middle_name,given_name,profile,picture,nickname,website,zoneinfo,locale,updated_at,birthdate,email,email_verified,phone_number,phone_number_verified
>> cas.authn.oidc.userDefinedScopes.myownscopes=mail,givenName
>>
>> # Add more claims. They will appear in the "attributes" claim.
>> #
>> cas.authn.oidc.claimsMap.email=mail
>> #cas.authn.oidc.claimsMap.preferred_username=given_name
>> cas.authn.oidc.claimsMap.given_name=givenName
>>
>>
>>
>>
>>
>>
>> On Sat, Aug 22, 2020 at 6:33 PM Nikolas Stylianides <
>> nstyliani...@gmail.com> wrote:
>>
>>> I will send you the configuration files.
>>> I am not declaring any attribute claim.
>>>
>>> email is both a scope and a claim.
>>>
>>>
>>> Στις Σάβ, 22 Αυγ 2020, 16:35 ο χρήστης Jérôme Steve <
>>> jerome.st...@gmail.com> έγραψε:
>>>
If you définie a custom clami "attributes" it's normal i think.
Show me your custuom configuration to be sure.
Le sam. 22 août 2020 à 15:16, Nikolas Stylianides <
nstyliani...@gmail.com> a écrit :
> I have gone this further.
> I declare a SCOPE of my own. With specific CLAIMS.
> And this claims are mapped to attributes.
>
> All claims appear in field "attributes" and not in the top hierarchy.
> is this normal?
>
>
>
>
>
> On Sat, Aug 22, 2020 at 3:43 PM Nikolas Stylianides <
> nstyliani...@gmail.com> wrote:
>
>> Hi Jerome. Keep in mind that my CAS release is 6.2.1.
>>
>> I have no attributes.username since I collect my attributes during
>> the LDAP authentication.
>> I have also tried mapping claims to attributes with no luck.
>>
>>
>> In the document action it says that If no mapping is provide then the
>> attributes names must much the claim names. I do that also in my service
>> definition file.
>> Still no luck.
>>
>> All claims are included under
Re: [cas-user] CAS 6.2.1 OpenID Connect OP attribute release issues
Hi Nikolas,
Si after looking tour configuration, nom it's not "normal". Claims should
ne appear on thé top level ans not un an attributs claims.
First, try to remove your attributeReleasePolicy un you service.json.
Also I haven't test 6.2, I'm still In 6.1. So maybe it's an improvement,
but " "attributes" it's not a standard claims un OIDC ...
Le dim. 23 août 2020 à 07:39, Nikolas Stylianides
a écrit :
> Hi Jerome. Please find below the configuration file and the service file.
>
> Service File
> =
>
>
> {
> "@class" : "org.apereo.cas.services.OidcRegisteredService",
> "serviceId" : "...",
> "name" : "MYSERVICE",
> "id" : 105,
> "clientId": "...",
> "clientSecret": "...",
> "supportedGrantTypes":[ "java.util.HashSet",
> ["AUTHORIZATION_CODE","CLIENT_CREDENTIALS","PASSWORD","REFRESH_TOKEN"]
> ],
> "scopes": [ "java.util.HashSet",[ "openid","profile",
> "email","myownscope" ]],
> "supportedResponseTypes":[ "java.util.HashSet", [
> "code","token","id_token","id_token token","code token" ] ],
> "theme": "apereo",
> "description" : "This service definition allows authorized applications
> that support HTTPS protocol.",
> "evaluationOrder" : 10,
> "attributeReleasePolicy" : {
> "@class" :
> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
> "allowedAttributes" : {
> "@class" : "java.util.TreeMap",
> "givenName" : "givenName",
> "mail" : "mail",
> "cn":"profile",
>
> }
> },
> "accessStrategy" : {
> "@class" :
> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
> "enabled" : true,
> "ssoEnabled" : true
> }
> }
>
> LDAP Configuration
>
>
> cas.authn.ldap[0].principal-attribute-list=sn,cn,givenName,mail,c,l,telephoneNumber
>
> OID Connect configuration (the ones that are related to claims)
>
> cas.authn.oidc.subject-types=public
>
> cas.authn.oidc.scopes=myownscope,openid,profile,email,address,phone,offline_access
>
> cas.authn.oidc.claims=mail,givenName,sub,name,preferred_username,family_name,given_name,middle_name,given_name,profile,picture,nickname,website,zoneinfo,locale,updated_at,birthdate,email,email_verified,phone_number,phone_number_verified
> cas.authn.oidc.userDefinedScopes.myownscopes=mail,givenName
>
> # Add more claims. They will appear in the "attributes" claim.
> #
> cas.authn.oidc.claimsMap.email=mail
> #cas.authn.oidc.claimsMap.preferred_username=given_name
> cas.authn.oidc.claimsMap.given_name=givenName
>
>
>
>
>
>
> On Sat, Aug 22, 2020 at 6:33 PM Nikolas Stylianides <
> nstyliani...@gmail.com> wrote:
>
>> I will send you the configuration files.
>> I am not declaring any attribute claim.
>>
>> email is both a scope and a claim.
>>
>>
>> Στις Σάβ, 22 Αυγ 2020, 16:35 ο χρήστης Jérôme Steve <
>> jerome.st...@gmail.com> έγραψε:
>>
>>> If you définie a custom clami "attributes" it's normal i think.
>>>
>>> Show me your custuom configuration to be sure.
>>>
>>> Le sam. 22 août 2020 à 15:16, Nikolas Stylianides <
>>> nstyliani...@gmail.com> a écrit :
>>>
I have gone this further.
I declare a SCOPE of my own. With specific CLAIMS.
And this claims are mapped to attributes.
All claims appear in field "attributes" and not in the top hierarchy.
is this normal?
On Sat, Aug 22, 2020 at 3:43 PM Nikolas Stylianides <
nstyliani...@gmail.com> wrote:
> Hi Jerome. Keep in mind that my CAS release is 6.2.1.
>
> I have no attributes.username since I collect my attributes during the
> LDAP authentication.
> I have also tried mapping claims to attributes with no luck.
>
>
> In the document action it says that If no mapping is provide then the
> attributes names must much the claim names. I do that also in my service
> definition file.
> Still no luck.
>
> All claims are included under the field "attributes"
>
> Which is not the response I expect.
>
> Has anyone solved this in 6.2.1?
> Maybe is a bug?
>
> Στις Σάβ, 22 Αυγ 2020, 12:49 ο χρήστης Jérôme Steve <
> jerome.st...@gmail.com> έγραψε:
>
>> First,I think you have to définie attributs.username correspondibg to
>> jour login :
>>
>>
>> https://apereo.github.io/cas/5.1.x/integration/Attribute-Release-Policies.html
>>
>> After you have to maps attributs to claims :
>>
>>
>> https://apereo.github.io/cas/5.1.x/installation/OIDC-Authentication.html#mapping-claims
>>
>>
>>
>> Le sam. 22 août 2020 à 10:34, Nikolas Stylianides <
>> nstyliani...@gmail.com> a écrit :
>>
>>> Anyone with an answer for this behavior?
>>> I can now release attributes but only under the field "attributes".
>>> Anything i am missing to be able to release claims in the format:
>>> {
>>> "email": "inf...@gmail.com
Re: [cas-user] CAS 6.2.1 OpenID Connect OP attribute release issues
Hi Jerome. Please find below the configuration file and the service file.
Service File
=
{
"@class" : "org.apereo.cas.services.OidcRegisteredService",
"serviceId" : "...",
"name" : "MYSERVICE",
"id" : 105,
"clientId": "...",
"clientSecret": "...",
"supportedGrantTypes":[ "java.util.HashSet",
["AUTHORIZATION_CODE","CLIENT_CREDENTIALS","PASSWORD","REFRESH_TOKEN"]
],
"scopes": [ "java.util.HashSet",[ "openid","profile",
"email","myownscope" ]],
"supportedResponseTypes":[ "java.util.HashSet", [
"code","token","id_token","id_token token","code token" ] ],
"theme": "apereo",
"description" : "This service definition allows authorized applications
that support HTTPS protocol.",
"evaluationOrder" : 10,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"givenName" : "givenName",
"mail" : "mail",
"cn":"profile",
}
},
"accessStrategy" : {
"@class" :
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true
}
}
LDAP Configuration
cas.authn.ldap[0].principal-attribute-list=sn,cn,givenName,mail,c,l,telephoneNumber
OID Connect configuration (the ones that are related to claims)
cas.authn.oidc.subject-types=public
cas.authn.oidc.scopes=myownscope,openid,profile,email,address,phone,offline_access
cas.authn.oidc.claims=mail,givenName,sub,name,preferred_username,family_name,given_name,middle_name,given_name,profile,picture,nickname,website,zoneinfo,locale,updated_at,birthdate,email,email_verified,phone_number,phone_number_verified
cas.authn.oidc.userDefinedScopes.myownscopes=mail,givenName
# Add more claims. They will appear in the "attributes" claim.
#
cas.authn.oidc.claimsMap.email=mail
#cas.authn.oidc.claimsMap.preferred_username=given_name
cas.authn.oidc.claimsMap.given_name=givenName
On Sat, Aug 22, 2020 at 6:33 PM Nikolas Stylianides
wrote:
> I will send you the configuration files.
> I am not declaring any attribute claim.
>
> email is both a scope and a claim.
>
>
> Στις Σάβ, 22 Αυγ 2020, 16:35 ο χρήστης Jérôme Steve <
> jerome.st...@gmail.com> έγραψε:
>
>> If you définie a custom clami "attributes" it's normal i think.
>>
>> Show me your custuom configuration to be sure.
>>
>> Le sam. 22 août 2020 à 15:16, Nikolas Stylianides
>> a écrit :
>>
>>> I have gone this further.
>>> I declare a SCOPE of my own. With specific CLAIMS.
>>> And this claims are mapped to attributes.
>>>
>>> All claims appear in field "attributes" and not in the top hierarchy.
>>> is this normal?
>>>
>>>
>>>
>>>
>>>
>>> On Sat, Aug 22, 2020 at 3:43 PM Nikolas Stylianides <
>>> nstyliani...@gmail.com> wrote:
>>>
Hi Jerome. Keep in mind that my CAS release is 6.2.1.
I have no attributes.username since I collect my attributes during the
LDAP authentication.
I have also tried mapping claims to attributes with no luck.
In the document action it says that If no mapping is provide then the
attributes names must much the claim names. I do that also in my service
definition file.
Still no luck.
All claims are included under the field "attributes"
Which is not the response I expect.
Has anyone solved this in 6.2.1?
Maybe is a bug?
Στις Σάβ, 22 Αυγ 2020, 12:49 ο χρήστης Jérôme Steve <
jerome.st...@gmail.com> έγραψε:
> First,I think you have to définie attributs.username correspondibg to
> jour login :
>
>
> https://apereo.github.io/cas/5.1.x/integration/Attribute-Release-Policies.html
>
> After you have to maps attributs to claims :
>
>
> https://apereo.github.io/cas/5.1.x/installation/OIDC-Authentication.html#mapping-claims
>
>
>
> Le sam. 22 août 2020 à 10:34, Nikolas Stylianides <
> nstyliani...@gmail.com> a écrit :
>
>> Anyone with an answer for this behavior?
>> I can now release attributes but only under the field "attributes".
>> Anything i am missing to be able to release claims in the format:
>> {
>> "email": "inf...@gmail.com
Re: [cas-user] CAS 6.2.1 OpenID Connect OP attribute release issues
I will send you the configuration files.
I am not declaring any attribute claim.
email is both a scope and a claim.
Στις Σάβ, 22 Αυγ 2020, 16:35 ο χρήστης Jérôme Steve
έγραψε:
> If you définie a custom clami "attributes" it's normal i think.
>
> Show me your custuom configuration to be sure.
>
> Le sam. 22 août 2020 à 15:16, Nikolas Stylianides
> a écrit :
>
>> I have gone this further.
>> I declare a SCOPE of my own. With specific CLAIMS.
>> And this claims are mapped to attributes.
>>
>> All claims appear in field "attributes" and not in the top hierarchy.
>> is this normal?
>>
>>
>>
>>
>>
>> On Sat, Aug 22, 2020 at 3:43 PM Nikolas Stylianides <
>> nstyliani...@gmail.com> wrote:
>>
>>> Hi Jerome. Keep in mind that my CAS release is 6.2.1.
>>>
>>> I have no attributes.username since I collect my attributes during the
>>> LDAP authentication.
>>> I have also tried mapping claims to attributes with no luck.
>>>
>>>
>>> In the document action it says that If no mapping is provide then the
>>> attributes names must much the claim names. I do that also in my service
>>> definition file.
>>> Still no luck.
>>>
>>> All claims are included under the field "attributes"
>>>
>>> Which is not the response I expect.
>>>
>>> Has anyone solved this in 6.2.1?
>>> Maybe is a bug?
>>>
>>> Στις Σάβ, 22 Αυγ 2020, 12:49 ο χρήστης Jérôme Steve <
>>> jerome.st...@gmail.com> έγραψε:
>>>
First,I think you have to définie attributs.username correspondibg to
jour login :
https://apereo.github.io/cas/5.1.x/integration/Attribute-Release-Policies.html
After you have to maps attributs to claims :
https://apereo.github.io/cas/5.1.x/installation/OIDC-Authentication.html#mapping-claims
Le sam. 22 août 2020 à 10:34, Nikolas Stylianides <
nstyliani...@gmail.com> a écrit :
> Anyone with an answer for this behavior?
> I can now release attributes but only under the field "attributes".
> Anything i am missing to be able to release claims in the format:
> {
> "email": "inf...@gmail.com
Re: [cas-user] CAS 6.2.1 OpenID Connect OP attribute release issues
If you définie a custom clami "attributes" it's normal i think.
Show me your custuom configuration to be sure.
Le sam. 22 août 2020 à 15:16, Nikolas Stylianides
a écrit :
> I have gone this further.
> I declare a SCOPE of my own. With specific CLAIMS.
> And this claims are mapped to attributes.
>
> All claims appear in field "attributes" and not in the top hierarchy.
> is this normal?
>
>
>
>
>
> On Sat, Aug 22, 2020 at 3:43 PM Nikolas Stylianides <
> nstyliani...@gmail.com> wrote:
>
>> Hi Jerome. Keep in mind that my CAS release is 6.2.1.
>>
>> I have no attributes.username since I collect my attributes during the
>> LDAP authentication.
>> I have also tried mapping claims to attributes with no luck.
>>
>>
>> In the document action it says that If no mapping is provide then the
>> attributes names must much the claim names. I do that also in my service
>> definition file.
>> Still no luck.
>>
>> All claims are included under the field "attributes"
>>
>> Which is not the response I expect.
>>
>> Has anyone solved this in 6.2.1?
>> Maybe is a bug?
>>
>> Στις Σάβ, 22 Αυγ 2020, 12:49 ο χρήστης Jérôme Steve <
>> jerome.st...@gmail.com> έγραψε:
>>
>>> First,I think you have to définie attributs.username correspondibg to
>>> jour login :
>>>
>>>
>>> https://apereo.github.io/cas/5.1.x/integration/Attribute-Release-Policies.html
>>>
>>> After you have to maps attributs to claims :
>>>
>>>
>>> https://apereo.github.io/cas/5.1.x/installation/OIDC-Authentication.html#mapping-claims
>>>
>>>
>>>
>>> Le sam. 22 août 2020 à 10:34, Nikolas Stylianides <
>>> nstyliani...@gmail.com> a écrit :
>>>
Anyone with an answer for this behavior?
I can now release attributes but only under the field "attributes".
Anything i am missing to be able to release claims in the format:
{
"email": "inf...@gmail.com
Re: [cas-user] CAS 6.2.1 OpenID Connect OP attribute release issues
Email ans profile are not claims but scope ...
Le ven. 21 août 2020 à 15:48, Nikolas Stylianides
a écrit :
> Hi Jerome. Thank you for the response.
> I am a little bit confused. What to define?
> When it comes to get the user info, CAS Debugger it reports:
>
> I have been able to release attributes in the attribute claim
>
> {
> "sub": "test",
> "service": "client_id",
> "auth_time": 1598017095,
> "attributes": {
> "email": "inf...@gmail.com",
> "profile": "test"
> },
> "id": "test",
> "client_id": "client_id"
> }
>
> by enabling:
>
> cas.authn.attribute-repository.ldap[0].attributes.cn=profile
> cas.authn.attribute-repository.ldap[0].attributes.mail=email
>
> But still i cannot release the CLAIMS for the requested scopes (email,
> profile)
>
> Thank you in advance
>
>
>
>
>
>
>
> On Fri, Aug 21, 2020 at 12:36 PM Jérôme Steve
> wrote:
>
>> Hi,
>>
>> In cas OIDC claims values come from attribute repositories.
>> So you have to define it to retrieved your attributes value.
>> And after you can map it to the OIDC claims.
>>
>> Jérôme
>>
>> Le ven. 21 août 2020 à 09:39, Nikolas Stylianides
>> a écrit :
>>
>>> when i use the PASSWORD grant_type and then use the return token to
>>> fetch user information from oidc/profile this is what i get.
>>>
>>> {
>>> "sub": "aUserName",
>>> "service": "client_id",
>>> "auth_time": 1597989795,
>>> "attributes": {},
>>> "id": " aUserName ",
>>> "client_id": "client_id"
>>> }
>>>
>>> Any ideas why i have no claims in the return JSON?
>>> Maybe the same happens with the AUTHORIZATION_CODE grant_type?
>>>
>>>
>>>
>>> Στις Πέμπτη, 20 Αυγούστου 2020 στις 5:37:33 μ.μ. UTC+3, ο χρήστης
>>> Nikolas Stylianides έγραψε:
>>>
Hi there.
Another strange behavior is the following.
I am setting my Moodle to OIDC and the procedure goes well. Once i
"Allow" the the claims it does not get any user info.
CAS Debugger reports: >>> repositories for [{username=c44c3fc514202ac9a8cc5cf6437c1c21}]>
which username is actually client_id
On Wed, Aug 19, 2020 at 6:35 PM Nikolas Stylianides <
nstyli...@gmail.com> wrote:
> Hi there.
> I have manged to setup the OpenID Connect protocol.
> The issue i am facing is in the last steps where the Attributes should
> be released to the service but they are not.
> I am getting on the logs of CAS the following: WARN
> [org.apereo.cas.authentication.attribute.PrincipalAttributeRepositoryFetcher]
> -
>
> Any advice?
>
> My service has been defined as follows:
> Service is Moodle
>
> {
> "@class" : "org.apereo.cas.services.OidcRegisteredService",
> "serviceId" : "https://myservice.domain/admin/oauth2callback.php";,
> "name" : "oidc",
> "id" : 102,
> "clientId": "...",
> "clientSecret": "...",
> "scopes": [ "java.util.HashSet",
> [ "openid", "profile", "email", "address", "phone",
> "offline_access", "displayName" ]
> ],
> "supportedGrantTypes":[ "java.util.HashSet",
>
> ["AUTHORIZATION_CODE","CLIENT_CREDENTIALS","PASSWORD","REFRESH_TOKEN"]
> ],
> "supportedResponseTypes":[ "java.util.HashSet", [ "code" ] ],
> "theme": "apereo",
> "description" : "This service definition authorizes all application
> urls that support HTTPS and IMAPS protocols.",
> "evaluationOrder" : 1,
> "attributeReleasePolicy" : {
> "@class" :
> "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
> },
> "accessStrategy" : {
> "@class" :
> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
> "enabled" : true,
> "ssoEnabled" : true
> }
> }
>
> Thank you in advance.
>
> --
> Δρ. Νικόλας Στυλιανίδης
> Ηλεκτρολόγος Μηχανικός και Μηχ. Υπολογιστών
>
> Nikolas Stylianides, Dr.
> Dr. Eng. in Electrical & Computer Engineering
>
> Contacts
> -
> Mobile Tel.: +35796741315 <+357%2096%20741315>
> Email: nstyli...@leafnet.com.cy, nstyli...@gmail.com
> Skype: nicostyl
>
> Affilication
> ---
> LEAF NET LTD: Research & Development
> Open University of Cyprus: Research Associate, APPLIED HEALTH
> INFORMATICS Master Programme Academic Board Member
>
>
> Tο λακωνίζειν εστί φιλοσοφείν / Μηδέν Άγαν - Χίλων ο Λακεδαιμόνιος:
>
> Brevity is the soul of wit - Shakespeare William (Hamlet)
>
>
>
>
>
--
Δρ. Νικόλας Στυλιανίδης
Ηλεκτρολόγος Μηχανικός και Μηχ. Υπολογιστών
Nikolas Stylianides, Dr.
Dr. Eng. in Electrical & Computer Engineering
Contacts
-
Mobile Tel.: +35796741315 <+357%2096%20741315>
Email: nstyli...@leafnet.com.cy, nstyli...@gmail.com
Skype: nicostyl
Affilication
---
Re: [cas-user] CAS 6.2.1 OpenID Connect OP attribute release issues
OK with LDAP maybe it not username but uid ...
But after you have to mapn your CAS attributes to jour OIDC DEFINE CLAIMS
like this :
https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties.html#openid-connect-scopes--claims
Le sam. 22 août 2020 à 14:43, Nikolas Stylianides
a écrit :
> Hi Jerome. Keep in mind that my CAS release is 6.2.1.
>
> I have no attributes.username since I collect my attributes during the
> LDAP authentication.
> I have also tried mapping claims to attributes with no luck.
>
>
> In the document action it says that If no mapping is provide then the
> attributes names must much the claim names. I do that also in my service
> definition file.
> Still no luck.
>
> All claims are included under the field "attributes"
>
> Which is not the response I expect.
>
> Has anyone solved this in 6.2.1?
> Maybe is a bug?
>
> Στις Σάβ, 22 Αυγ 2020, 12:49 ο χρήστης Jérôme Steve <
> jerome.st...@gmail.com> έγραψε:
>
>> First,I think you have to définie attributs.username correspondibg to
>> jour login :
>>
>>
>> https://apereo.github.io/cas/5.1.x/integration/Attribute-Release-Policies.html
>>
>> After you have to maps attributs to claims :
>>
>>
>> https://apereo.github.io/cas/5.1.x/installation/OIDC-Authentication.html#mapping-claims
>>
>>
>>
>> Le sam. 22 août 2020 à 10:34, Nikolas Stylianides
>> a écrit :
>>
>>> Anyone with an answer for this behavior?
>>> I can now release attributes but only under the field "attributes".
>>> Anything i am missing to be able to release claims in the format:
>>> {
>>> "email": "inf...@gmail.com
Re: [cas-user] CAS 6.2.1 OpenID Connect OP attribute release issues
I have gone this further.
I declare a SCOPE of my own. With specific CLAIMS.
And this claims are mapped to attributes.
All claims appear in field "attributes" and not in the top hierarchy.
is this normal?
On Sat, Aug 22, 2020 at 3:43 PM Nikolas Stylianides
wrote:
> Hi Jerome. Keep in mind that my CAS release is 6.2.1.
>
> I have no attributes.username since I collect my attributes during the
> LDAP authentication.
> I have also tried mapping claims to attributes with no luck.
>
>
> In the document action it says that If no mapping is provide then the
> attributes names must much the claim names. I do that also in my service
> definition file.
> Still no luck.
>
> All claims are included under the field "attributes"
>
> Which is not the response I expect.
>
> Has anyone solved this in 6.2.1?
> Maybe is a bug?
>
> Στις Σάβ, 22 Αυγ 2020, 12:49 ο χρήστης Jérôme Steve <
> jerome.st...@gmail.com> έγραψε:
>
>> First,I think you have to définie attributs.username correspondibg to
>> jour login :
>>
>>
>> https://apereo.github.io/cas/5.1.x/integration/Attribute-Release-Policies.html
>>
>> After you have to maps attributs to claims :
>>
>>
>> https://apereo.github.io/cas/5.1.x/installation/OIDC-Authentication.html#mapping-claims
>>
>>
>>
>> Le sam. 22 août 2020 à 10:34, Nikolas Stylianides
>> a écrit :
>>
>>> Anyone with an answer for this behavior?
>>> I can now release attributes but only under the field "attributes".
>>> Anything i am missing to be able to release claims in the format:
>>> {
>>> "email": "inf...@gmail.com
Re: [cas-user] CAS 6.2.1 OpenID Connect OP attribute release issues
Hi Jerome. Keep in mind that my CAS release is 6.2.1.
I have no attributes.username since I collect my attributes during the LDAP
authentication.
I have also tried mapping claims to attributes with no luck.
In the document action it says that If no mapping is provide then the
attributes names must much the claim names. I do that also in my service
definition file.
Still no luck.
All claims are included under the field "attributes"
Which is not the response I expect.
Has anyone solved this in 6.2.1?
Maybe is a bug?
Στις Σάβ, 22 Αυγ 2020, 12:49 ο χρήστης Jérôme Steve
έγραψε:
> First,I think you have to définie attributs.username correspondibg to jour
> login :
>
>
> https://apereo.github.io/cas/5.1.x/integration/Attribute-Release-Policies.html
>
> After you have to maps attributs to claims :
>
>
> https://apereo.github.io/cas/5.1.x/installation/OIDC-Authentication.html#mapping-claims
>
>
>
> Le sam. 22 août 2020 à 10:34, Nikolas Stylianides
> a écrit :
>
>> Anyone with an answer for this behavior?
>> I can now release attributes but only under the field "attributes".
>> Anything i am missing to be able to release claims in the format:
>> {
>> "email": "inf...@gmail.com
Re: [cas-user] CAS 6.2.1 OpenID Connect OP attribute release issues
First,I think you have to définie attributs.username correspondibg to jour
login :
https://apereo.github.io/cas/5.1.x/integration/Attribute-Release-Policies.html
After you have to maps attributs to claims :
https://apereo.github.io/cas/5.1.x/installation/OIDC-Authentication.html#mapping-claims
Le sam. 22 août 2020 à 10:34, Nikolas Stylianides
a écrit :
> Anyone with an answer for this behavior?
> I can now release attributes but only under the field "attributes".
> Anything i am missing to be able to release claims in the format:
> {
> "email": "inf...@gmail.com
Re: [cas-user] CAS 6.2.1 OpenID Connect OP attribute release issues
Anyone with an answer for this behavior?
I can now release attributes but only under the field "attributes".
Anything i am missing to be able to release claims in the format:
{
"email": "inf...@gmail.com
Re: [cas-user] CAS 6.2.1 OpenID Connect OP attribute release issues
Hi Jerome. Thank you for the response.
I am a little bit confused. What to define?
When it comes to get the user info, CAS Debugger it reports:
I have been able to release attributes in the attribute claim
{
"sub": "test",
"service": "client_id",
"auth_time": 1598017095,
"attributes": {
"email": "inf...@gmail.com",
"profile": "test"
},
"id": "test",
"client_id": "client_id"
}
by enabling:
cas.authn.attribute-repository.ldap[0].attributes.cn=profile
cas.authn.attribute-repository.ldap[0].attributes.mail=email
But still i cannot release the CLAIMS for the requested scopes (email,
profile)
Thank you in advance
On Fri, Aug 21, 2020 at 12:36 PM Jérôme Steve
wrote:
> Hi,
>
> In cas OIDC claims values come from attribute repositories.
> So you have to define it to retrieved your attributes value.
> And after you can map it to the OIDC claims.
>
> Jérôme
>
> Le ven. 21 août 2020 à 09:39, Nikolas Stylianides
> a écrit :
>
>> when i use the PASSWORD grant_type and then use the return token to fetch
>> user information from oidc/profile this is what i get.
>>
>> {
>> "sub": "aUserName",
>> "service": "client_id",
>> "auth_time": 1597989795,
>> "attributes": {},
>> "id": " aUserName ",
>> "client_id": "client_id"
>> }
>>
>> Any ideas why i have no claims in the return JSON?
>> Maybe the same happens with the AUTHORIZATION_CODE grant_type?
>>
>>
>>
>> Στις Πέμπτη, 20 Αυγούστου 2020 στις 5:37:33 μ.μ. UTC+3, ο χρήστης Nikolas
>> Stylianides έγραψε:
>>
>>> Hi there.
>>> Another strange behavior is the following.
>>> I am setting my Moodle to OIDC and the procedure goes well. Once i
>>> "Allow" the the claims it does not get any user info.
>>>
>>> CAS Debugger reports: >> repositories for [{username=c44c3fc514202ac9a8cc5cf6437c1c21}]>
>>>
>>> which username is actually client_id
>>>
>>>
>>>
>>> On Wed, Aug 19, 2020 at 6:35 PM Nikolas Stylianides
>>> wrote:
>>>
Hi there.
I have manged to setup the OpenID Connect protocol.
The issue i am facing is in the last steps where the Attributes should
be released to the service but they are not.
I am getting on the logs of CAS the following: WARN
[org.apereo.cas.authentication.attribute.PrincipalAttributeRepositoryFetcher]
-
Any advice?
My service has been defined as follows:
Service is Moodle
{
"@class" : "org.apereo.cas.services.OidcRegisteredService",
"serviceId" : "https://myservice.domain/admin/oauth2callback.php";,
"name" : "oidc",
"id" : 102,
"clientId": "...",
"clientSecret": "...",
"scopes": [ "java.util.HashSet",
[ "openid", "profile", "email", "address", "phone",
"offline_access", "displayName" ]
],
"supportedGrantTypes":[ "java.util.HashSet",
["AUTHORIZATION_CODE","CLIENT_CREDENTIALS","PASSWORD","REFRESH_TOKEN"]
],
"supportedResponseTypes":[ "java.util.HashSet", [ "code" ] ],
"theme": "apereo",
"description" : "This service definition authorizes all application
urls that support HTTPS and IMAPS protocols.",
"evaluationOrder" : 1,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"accessStrategy" : {
"@class" :
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true
}
}
Thank you in advance.
--
Δρ. Νικόλας Στυλιανίδης
Ηλεκτρολόγος Μηχανικός και Μηχ. Υπολογιστών
Nikolas Stylianides, Dr.
Dr. Eng. in Electrical & Computer Engineering
Contacts
-
Mobile Tel.: +35796741315 <+357%2096%20741315>
Email: nstyli...@leafnet.com.cy, nstyli...@gmail.com
Skype: nicostyl
Affilication
---
LEAF NET LTD: Research & Development
Open University of Cyprus: Research Associate, APPLIED HEALTH
INFORMATICS Master Programme Academic Board Member
Tο λακωνίζειν εστί φιλοσοφείν / Μηδέν Άγαν - Χίλων ο Λακεδαιμόνιος:
Brevity is the soul of wit - Shakespeare William (Hamlet)
>>>
>>> --
>>> Δρ. Νικόλας Στυλιανίδης
>>> Ηλεκτρολόγος Μηχανικός και Μηχ. Υπολογιστών
>>>
>>> Nikolas Stylianides, Dr.
>>> Dr. Eng. in Electrical & Computer Engineering
>>>
>>> Contacts
>>> -
>>> Mobile Tel.: +35796741315 <+357%2096%20741315>
>>> Email: nstyli...@leafnet.com.cy, nstyli...@gmail.com
>>> Skype: nicostyl
>>>
>>> Affilication
>>> ---
>>> LEAF NET LTD: Research & Development
>>> Open University of Cyprus: Research Associate, APPLIED HEALTH
>>> INFORMATICS Master Programme Academic Board Member
>>>
>>>
>>> Tο λακωνίζειν εστί φιλοσοφείν / Μηδέν Άγαν - Χίλων ο Λακεδαιμόνιος:
>>>
>>> Brevity is the soul of wit - Shakespeare William (Hamlet)
>>>
>>>
>>>
>>>
>>> --
>> - Webs
Re: [cas-user] CAS 6.2.1 OpenID Connect OP attribute release issues
Hi,
In cas OIDC claims values come from attribute repositories.
So you have to define it to retrieved your attributes value.
And after you can map it to the OIDC claims.
Jérôme
Le ven. 21 août 2020 à 09:39, Nikolas Stylianides
a écrit :
> when i use the PASSWORD grant_type and then use the return token to fetch
> user information from oidc/profile this is what i get.
>
> {
> "sub": "aUserName",
> "service": "client_id",
> "auth_time": 1597989795,
> "attributes": {},
> "id": " aUserName ",
> "client_id": "client_id"
> }
>
> Any ideas why i have no claims in the return JSON?
> Maybe the same happens with the AUTHORIZATION_CODE grant_type?
>
>
>
> Στις Πέμπτη, 20 Αυγούστου 2020 στις 5:37:33 μ.μ. UTC+3, ο χρήστης Nikolas
> Stylianides έγραψε:
>
>> Hi there.
>> Another strange behavior is the following.
>> I am setting my Moodle to OIDC and the procedure goes well. Once i
>> "Allow" the the claims it does not get any user info.
>>
>> CAS Debugger reports: > repositories for [{username=c44c3fc514202ac9a8cc5cf6437c1c21}]>
>>
>> which username is actually client_id
>>
>>
>>
>> On Wed, Aug 19, 2020 at 6:35 PM Nikolas Stylianides
>> wrote:
>>
>>> Hi there.
>>> I have manged to setup the OpenID Connect protocol.
>>> The issue i am facing is in the last steps where the Attributes should
>>> be released to the service but they are not.
>>> I am getting on the logs of CAS the following: WARN
>>> [org.apereo.cas.authentication.attribute.PrincipalAttributeRepositoryFetcher]
>>> -
>>>
>>> Any advice?
>>>
>>> My service has been defined as follows:
>>> Service is Moodle
>>>
>>> {
>>> "@class" : "org.apereo.cas.services.OidcRegisteredService",
>>> "serviceId" : "https://myservice.domain/admin/oauth2callback.php";,
>>> "name" : "oidc",
>>> "id" : 102,
>>> "clientId": "...",
>>> "clientSecret": "...",
>>> "scopes": [ "java.util.HashSet",
>>> [ "openid", "profile", "email", "address", "phone",
>>> "offline_access", "displayName" ]
>>> ],
>>> "supportedGrantTypes":[ "java.util.HashSet",
>>>
>>> ["AUTHORIZATION_CODE","CLIENT_CREDENTIALS","PASSWORD","REFRESH_TOKEN"]
>>> ],
>>> "supportedResponseTypes":[ "java.util.HashSet", [ "code" ] ],
>>> "theme": "apereo",
>>> "description" : "This service definition authorizes all application
>>> urls that support HTTPS and IMAPS protocols.",
>>> "evaluationOrder" : 1,
>>> "attributeReleasePolicy" : {
>>> "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
>>> },
>>> "accessStrategy" : {
>>> "@class" :
>>> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
>>> "enabled" : true,
>>> "ssoEnabled" : true
>>> }
>>> }
>>>
>>> Thank you in advance.
>>>
>>> --
>>> Δρ. Νικόλας Στυλιανίδης
>>> Ηλεκτρολόγος Μηχανικός και Μηχ. Υπολογιστών
>>>
>>> Nikolas Stylianides, Dr.
>>> Dr. Eng. in Electrical & Computer Engineering
>>>
>>> Contacts
>>> -
>>> Mobile Tel.: +35796741315 <+357%2096%20741315>
>>> Email: nstyli...@leafnet.com.cy, nstyli...@gmail.com
>>> Skype: nicostyl
>>>
>>> Affilication
>>> ---
>>> LEAF NET LTD: Research & Development
>>> Open University of Cyprus: Research Associate, APPLIED HEALTH
>>> INFORMATICS Master Programme Academic Board Member
>>>
>>>
>>> Tο λακωνίζειν εστί φιλοσοφείν / Μηδέν Άγαν - Χίλων ο Λακεδαιμόνιος:
>>>
>>> Brevity is the soul of wit - Shakespeare William (Hamlet)
>>>
>>>
>>>
>>>
>>>
>>
>> --
>> Δρ. Νικόλας Στυλιανίδης
>> Ηλεκτρολόγος Μηχανικός και Μηχ. Υπολογιστών
>>
>> Nikolas Stylianides, Dr.
>> Dr. Eng. in Electrical & Computer Engineering
>>
>> Contacts
>> -
>> Mobile Tel.: +35796741315 <+357%2096%20741315>
>> Email: nstyli...@leafnet.com.cy, nstyli...@gmail.com
>> Skype: nicostyl
>>
>> Affilication
>> ---
>> LEAF NET LTD: Research & Development
>> Open University of Cyprus: Research Associate, APPLIED HEALTH INFORMATICS
>> Master Programme Academic Board Member
>>
>>
>> Tο λακωνίζειν εστί φιλοσοφείν / Μηδέν Άγαν - Χίλων ο Λακεδαιμόνιος:
>>
>> Brevity is the soul of wit - Shakespeare William (Hamlet)
>>
>>
>>
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/e9ce28d5-72f9-4229-9dcc-51ad9a8e1150n%40apereo.org
>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You rec
Re: [cas-user] CAS 6.2.1 OpenID Connect OP attribute release issues
when i use the PASSWORD grant_type and then use the return token to fetch
user information from oidc/profile this is what i get.
{
"sub": "aUserName",
"service": "client_id",
"auth_time": 1597989795,
"attributes": {},
"id": " aUserName ",
"client_id": "client_id"
}
Any ideas why i have no claims in the return JSON?
Maybe the same happens with the AUTHORIZATION_CODE grant_type?
Στις Πέμπτη, 20 Αυγούστου 2020 στις 5:37:33 μ.μ. UTC+3, ο χρήστης Nikolas
Stylianides έγραψε:
> Hi there.
> Another strange behavior is the following.
> I am setting my Moodle to OIDC and the procedure goes well. Once i "Allow"
> the the claims it does not get any user info.
>
> CAS Debugger reports: repositories for [{username=c44c3fc514202ac9a8cc5cf6437c1c21}]>
>
> which username is actually client_id
>
>
>
> On Wed, Aug 19, 2020 at 6:35 PM Nikolas Stylianides
> wrote:
>
>> Hi there.
>> I have manged to setup the OpenID Connect protocol.
>> The issue i am facing is in the last steps where the Attributes should be
>> released to the service but they are not.
>> I am getting on the logs of CAS the following: WARN
>> [org.apereo.cas.authentication.attribute.PrincipalAttributeRepositoryFetcher]
>>
>> -
>>
>> Any advice?
>>
>> My service has been defined as follows:
>> Service is Moodle
>>
>> {
>> "@class" : "org.apereo.cas.services.OidcRegisteredService",
>> "serviceId" : "https://myservice.domain/admin/oauth2callback.php";,
>> "name" : "oidc",
>> "id" : 102,
>> "clientId": "...",
>> "clientSecret": "...",
>> "scopes": [ "java.util.HashSet",
>> [ "openid", "profile", "email", "address", "phone", "offline_access",
>> "displayName" ]
>> ],
>> "supportedGrantTypes":[ "java.util.HashSet",
>> ["AUTHORIZATION_CODE","CLIENT_CREDENTIALS","PASSWORD","REFRESH_TOKEN"]
>> ],
>> "supportedResponseTypes":[ "java.util.HashSet", [ "code" ] ],
>> "theme": "apereo",
>> "description" : "This service definition authorizes all application
>> urls that support HTTPS and IMAPS protocols.",
>> "evaluationOrder" : 1,
>> "attributeReleasePolicy" : {
>> "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
>> },
>> "accessStrategy" : {
>> "@class" :
>> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
>> "enabled" : true,
>> "ssoEnabled" : true
>> }
>> }
>>
>> Thank you in advance.
>>
>> --
>> Δρ. Νικόλας Στυλιανίδης
>> Ηλεκτρολόγος Μηχανικός και Μηχ. Υπολογιστών
>>
>> Nikolas Stylianides, Dr.
>> Dr. Eng. in Electrical & Computer Engineering
>>
>> Contacts
>> -
>> Mobile Tel.: +35796741315 <+357%2096%20741315>
>> Email: nstyli...@leafnet.com.cy, nstyli...@gmail.com
>> Skype: nicostyl
>>
>> Affilication
>> ---
>> LEAF NET LTD: Research & Development
>> Open University of Cyprus: Research Associate, APPLIED HEALTH INFORMATICS
>> Master Programme Academic Board Member
>>
>>
>> Tο λακωνίζειν εστί φιλοσοφείν / Μηδέν Άγαν - Χίλων ο Λακεδαιμόνιος:
>>
>> Brevity is the soul of wit - Shakespeare William (Hamlet)
>>
>>
>>
>>
>>
>
> --
> Δρ. Νικόλας Στυλιανίδης
> Ηλεκτρολόγος Μηχανικός και Μηχ. Υπολογιστών
>
> Nikolas Stylianides, Dr.
> Dr. Eng. in Electrical & Computer Engineering
>
> Contacts
> -
> Mobile Tel.: +35796741315 <+357%2096%20741315>
> Email: nstyli...@leafnet.com.cy, nstyli...@gmail.com
> Skype: nicostyl
>
> Affilication
> ---
> LEAF NET LTD: Research & Development
> Open University of Cyprus: Research Associate, APPLIED HEALTH INFORMATICS
> Master Programme Academic Board Member
>
>
> Tο λακωνίζειν εστί φιλοσοφείν / Μηδέν Άγαν - Χίλων ο Λακεδαιμόνιος:
>
> Brevity is the soul of wit - Shakespeare William (Hamlet)
>
>
>
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e9ce28d5-72f9-4229-9dcc-51ad9a8e1150n%40apereo.org.
Re: [cas-user] CAS 6.2.1 OpenID Connect OP attribute release issues
Hi there.
Another strange behavior is the following.
I am setting my Moodle to OIDC and the procedure goes well. Once i "Allow"
the the claims it does not get any user info.
CAS Debugger reports:
which username is actually client_id
On Wed, Aug 19, 2020 at 6:35 PM Nikolas Stylianides
wrote:
> Hi there.
> I have manged to setup the OpenID Connect protocol.
> The issue i am facing is in the last steps where the Attributes should be
> released to the service but they are not.
> I am getting on the logs of CAS the following: WARN
> [org.apereo.cas.authentication.attribute.PrincipalAttributeRepositoryFetcher]
> -
>
> Any advice?
>
> My service has been defined as follows:
> Service is Moodle
>
> {
> "@class" : "org.apereo.cas.services.OidcRegisteredService",
> "serviceId" : "https://myservice.domain/admin/oauth2callback.php";,
> "name" : "oidc",
> "id" : 102,
> "clientId": "...",
> "clientSecret": "...",
> "scopes": [ "java.util.HashSet",
> [ "openid", "profile", "email", "address", "phone", "offline_access",
> "displayName" ]
> ],
> "supportedGrantTypes":[ "java.util.HashSet",
> ["AUTHORIZATION_CODE","CLIENT_CREDENTIALS","PASSWORD","REFRESH_TOKEN"]
> ],
> "supportedResponseTypes":[ "java.util.HashSet", [ "code" ] ],
> "theme": "apereo",
> "description" : "This service definition authorizes all application urls
> that support HTTPS and IMAPS protocols.",
> "evaluationOrder" : 1,
> "attributeReleasePolicy" : {
> "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
> },
> "accessStrategy" : {
> "@class" :
> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
> "enabled" : true,
> "ssoEnabled" : true
> }
> }
>
> Thank you in advance.
>
> --
> Δρ. Νικόλας Στυλιανίδης
> Ηλεκτρολόγος Μηχανικός και Μηχ. Υπολογιστών
>
> Nikolas Stylianides, Dr.
> Dr. Eng. in Electrical & Computer Engineering
>
> Contacts
> -
> Mobile Tel.: +35796741315
> Email: nstyliani...@leafnet.com.cy, nstyliani...@gmail.com
> Skype: nicostyl
>
> Affilication
> ---
> LEAF NET LTD: Research & Development
> Open University of Cyprus: Research Associate, APPLIED HEALTH INFORMATICS
> Master Programme Academic Board Member
>
>
> Tο λακωνίζειν εστί φιλοσοφείν / Μηδέν Άγαν - Χίλων ο Λακεδαιμόνιος:
>
> Brevity is the soul of wit - Shakespeare William (Hamlet)
>
>
>
>
>
--
Δρ. Νικόλας Στυλιανίδης
Ηλεκτρολόγος Μηχανικός και Μηχ. Υπολογιστών
Nikolas Stylianides, Dr.
Dr. Eng. in Electrical & Computer Engineering
Contacts
-
Mobile Tel.: +35796741315
Email: nstyliani...@leafnet.com.cy, nstyliani...@gmail.com
Skype: nicostyl
Affilication
---
LEAF NET LTD: Research & Development
Open University of Cyprus: Research Associate, APPLIED HEALTH INFORMATICS
Master Programme Academic Board Member
Tο λακωνίζειν εστί φιλοσοφείν / Μηδέν Άγαν - Χίλων ο Λακεδαιμόνιος:
Brevity is the soul of wit - Shakespeare William (Hamlet)
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGp1hEUDYBwLxCnS2pw0gLtscUKjWOuDgTObkX5hf4wD_N_99Q%40mail.gmail.com.
