Hello, Have you tried to set cas.authn.oidc.core.include-id-token-claims=true ?
According to OIDC spec, if you are using response-type=code , the id_token should not contain the user claims. But, if you are using response_type=id_token, then the id_token should include the user claims. According to CAS 6.4 doc, if you set cas.authn.oidc.core.include-id-token-claims=true , it will force the release of user claims in the id_token. However, in my tests with CAS 6.4.4.2, even with response_type=id_token, user claims are not included in the id_token (tried to GET an URL like https://mycasserver.com/cas/oidc/oidcAuthorize?response_type=id_token&client_id=myclient&scope=openid%20profile%20email&redirect_uri=https://serviceredirecturi). Not a blocker for me for the moment, but if you find a fix, I'm interested. Here is the relevant documentation : https://apereo.github.io/cas/6.4.x/authentication/OIDC-Authentication-Claims.html#configuration - cas.authn.oidc.core.include-id-token-claims=true As per OpenID Connect Core section 5.4, "The Claims requested by the profile , email, address, and phone scope values are returned from the userinfo endpoint", except for response_type=id_token, where they are returned in the id_token (as there is no access token issued that could be used to access the userinfo endpoint). The Claims requested by the profile, email, address, and phone scope values are returned from the userinfo endpoint when a response_type value is used that results in an access token being issued. However, when no access token is issued (which is the case for the response_type value id_token), the resulting Claims are returned in the ID Token. Setting this flag to true will force CAS to include claims in the ID token regardless of the response type. Note that this setting MUST ONLY be used as a last resort, to stay compliant with the specification as much as possible. DO NOT use this setting without due consideration. Note that this setting is set to true by default mainly provided to preserve backward compatibility with previous CAS versions that included claims into the ID token without considering the response type. The behavior of this setting may change and it may be removed in future CAS releases. On Tue, Jan 11, 2022 at 5:28 AM John Wagenleitner < [email protected]> wrote: > In CAS v6.3 (up to and including v6.3.7.4) we used the > `cas.authn.oidc.claims-map` properties to map our LDAP attribute names to > the standard claim names. This mapping worked for both the ID Token and the > UserInfo (`/profile`) endpoint. > > Here are the relevant properties we have set: > > ``` > cas.authn.oidc.discovery.scopes=openid,profile,email > cas.authn.oidc.discovery.claims=sub,name,family_name,given_name,email > cas.authn.oidc.core.claims-map.email=mail > cas.authn.oidc.core.claims-map.name=cn > cas.authn.oidc.core.claims-map.family_name=sn > cas.authn.oidc.core.claims-map.given_name=givenName > ``` > > This mapping is no longer working in CAS v6.4 (and also tested in the > latest v6.4.4.2) for the generated ID Token. Our ID Token claims no longer > contain the mapped names but instead contain the LDAP attribute names such > as `mail`, `cn`, etc. The UserInfo endpoint does correctly contain the > mapped claim names. > > As a possible workaround, I tried using a service definition that included > an `attributeReleasePolicy` using the `ReturnMappedAttributeReleasePolicy` > class but that had no affect on the ID Token claim names. > > I have reviewed all the OIDC settings and didn't spot anything that looks > like it would address this issue. > > Any help/advice would be appreciated, > John > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/fdf662f8-e990-4b9a-b22a-57a6c643e0b1n%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/fdf662f8-e990-4b9a-b22a-57a6c643e0b1n%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALRGK0qskgHk3fpbRKEqJ1CHZNYHByEJQjFj9%2BSyk%2BBMOr2V8g%40mail.gmail.com.
