[cas-user] OpenID Connect not working due attributes missing in top level user info

Wed, 10 Jul 2024 02:41:20 -0700 

Hi,

we're trying to add CAS as an OpenID Connect to provider for an OpenProject 
installation.

We've gotten as far as the user being redirected to CAS to login and coming 
back to OpenProject.
However, the issue then is that there are no user attributes in the 
userinfo response directly (on the same level as 'sub' for instance).
Instead all the attributes are one level below under 'attributes'.

{
    "sub"=>"admin",
    "service"=>"https://192.168.56.10/openproject/auth/cas/callback";,
    "auth_time"=>1715934410,
    "attributes"=>{
      "mail"=>"ad...@example.net",
      "displayName"=>"admin",
      "surname"=>"admin",
      "givenName"=>"admin",
      "groups"=>["admin"],
      "cn"=>"admin",
      "username"=>"admin"
  },

According to the OpenID Connect specification [2] these attributes should 
be one level higher, though.
Like this:

{
    "sub"=>"admin",
    "name"=>"admin admin",
    "family_name"=>"admin",
    "given_name"=>"admin",
    "email"=>"ad...@example.net"
  }

I found the same issue in [1] but it seems it was never resolved.

I'm 99% sure this is not an issue on the OpenProject side which simply uses 
default gems/libraries for the OpenID Connect things and works just fine 
with Google, MS Entra, Keycloak etc. via OpenID Connect.

So I suspect this must be an option on the CAS side.
Is there any hint I can give the people running the CAS instance as to what 
to look for?

Best regards,
Markus

[1] [cas-user] CAS 6.2.1 OpenID Connect OP attribute release issues 
(google.com) 
<https://groups.google.com/a/apereo.org/g/cas-user/c/T9EeA_JXhqw>
[2] https://openid.net/specs/openid-connect-basic-1_0.html#StandardClaims

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b6f03ef5-2b59-41d7-979e-12e1e35e6813n%40apereo.org.

Reply via email to