I used CAS v6.4 it's ok for me. I think there something wrong with your configuration. You defined the scopes (scopes=openid,profile,emai), CAS will use these as attributes release policy, the scopes email will only release attributes email and email_verified, profile will release name, given_name. family_name, so the attributes in your claims-map do not have value, so the IDToken does have value.
在2022年1月11日星期二 UTC+8 12:28:01<John Wagenleitner> 写道: > In CAS v6.3 (up to and including v6.3.7.4) we used the > `cas.authn.oidc.claims-map` properties to map our LDAP attribute names to > the standard claim names. This mapping worked for both the ID Token and the > UserInfo (`/profile`) endpoint. > > Here are the relevant properties we have set: > > ``` > cas.authn.oidc.discovery.scopes=openid,profile,email > cas.authn.oidc.discovery.claims=sub,name,family_name,given_name,email > cas.authn.oidc.core.claims-map.email=mail > cas.authn.oidc.core.claims-map.name=cn > cas.authn.oidc.core.claims-map.family_name=sn > cas.authn.oidc.core.claims-map.given_name=givenName > ``` > > This mapping is no longer working in CAS v6.4 (and also tested in the > latest v6.4.4.2) for the generated ID Token. Our ID Token claims no longer > contain the mapped names but instead contain the LDAP attribute names such > as `mail`, `cn`, etc. The UserInfo endpoint does correctly contain the > mapped claim names. > > As a possible workaround, I tried using a service definition that included > an `attributeReleasePolicy` using the `ReturnMappedAttributeReleasePolicy` > class but that had no affect on the ID Token claim names. > > I have reviewed all the OIDC settings and didn't spot anything that looks > like it would address this issue. > > Any help/advice would be appreciated, > John > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4fcf2216-ed97-45ec-98ad-52b173b4abcdn%40apereo.org.
