I believe this was a security-related change with the latest 6.6. For the
'non-standard' attributes that aren't already part of the OIDC spec you
will need to do something like the example below. You can add that in
addition to the scope releases.
"attributeReleasePolicy": { "@class":
"org.apereo.cas.oidc.claims.OidcScopeFreeAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "surrogateUser",
"surrogatePrincipal", "surrogateEnabled" ] ] },
On Wed, May 28, 2025 at 9:01 AM Stef <theb...@gmail.com> wrote:
> Have you tried to explicitly release these attributes in your service
> definition ?
>
> Le mer. 28 mai 2025 à 15:21, 'Udo Einspanier' via CAS Community <
> cas-user@apereo.org> a écrit :
>
>> Hi Stef,
>>
>> thanks a lot for the reference. Yes, the app requests openid scope, so
>> indeed it could be related. Do you know if there is some documentation how
>> to release the surrogate attributes in the JWT again? Otherwise, I will
>> check the code changes.
>>
>> Best regards,
>> Udo
>>
>>
>> On Wednesday, May 28, 2025 at 9:57:34 AM UTC+2 Stef wrote:
>>
>>> Does your app request openid scope ?
>>>
>>> Your problem looks related to this fix
>>> https://apereo.github.io/2024/06/26/oidc-vuln/
>>>
>>> Le mer. 28 mai 2025 à 09:31, 'Udo Einspanier' via CAS Community <
>>> cas-...@apereo.org> a écrit :
>>>
>>>> Hi,
>>>>
>>>> just wanted to check if anyone has updates on this issue. Has it been
>>>> addressed in newer versions? Or is it no longer possible to get the
>>>> surrogate authentication attributes into the JWT via configuration?
>>>>
>>>> Best regards,
>>>> Udo
>>>>
>>>> On Wednesday, September 4, 2024 at 2:42:36 PM UTC+2 Udo Einspanier
>>>> wrote:
>>>>
>>>>> Same problem here. Unfortunately, I have not found a solution yet.
>>>>> Maybe you could create a your own Groovy attribute resolver and release
>>>>> these as other attributes. But I have not tried it any workarounds yet.
>>>>> Still hoping for an easier solution.
>>>>>
>>>>> On Wednesday, September 4, 2024 at 12:41:42 PM UTC+2 Jorge Bastida
>>>>> Cano wrote:
>>>>>
>>>>>> hello, I'm still stuck on this. any ideas?
>>>>>>
>>>>>> El martes, 30 de julio de 2024 a las 9:18:47 UTC+2, Jorge Bastida
>>>>>> Cano escribió:
>>>>>>
>>>>>>> Same problem here. This does not happen to us with version 6.6.15.1.
>>>>>>> any solution for 6.6.15.2?
>>>>>>>
>>>>>>> El martes, 30 de julio de 2024 a las 2:33:40 UTC+2, Udo Einspanier
>>>>>>> escribió:
>>>>>>>
>>>>>>>> Hi everyone,
>>>>>>>>
>>>>>>>> we are using CAS as OIDC server and return the accessToken as JWT
>>>>>>>> in the authentication response. We just tried to upgrade from 6.6.2 to
>>>>>>>> 6.6.15.2.
>>>>>>>> But now all the CAS authentication-related attributes that were
>>>>>>>> previously part of the JWT access token are missing. and only the
>>>>>>>> attributes returned during attribute resolution are still there. E.g.
>>>>>>>> these
>>>>>>>> attributes are now missing:
>>>>>>>>
>>>>>>>> {
>>>>>>>> "surrogateUser": "yyy",
>>>>>>>> "longTermAuthenticationRequestTokenUsed": false,
>>>>>>>> "surrogateEnabled": "true",
>>>>>>>> "isFromNewLogin": true,
>>>>>>>> "authenticationDate": "2024-07-29T12:44:57.359913Z",
>>>>>>>> "surrogatePrincipal": "xxx",
>>>>>>>> "successfulAuthenticationHandlers":
>>>>>>>> "QueryDatabaseAuthenticationHandler",
>>>>>>>> "credentialType": "SurrogateUsernamePasswordCredential",
>>>>>>>> "authenticationMethod": "QueryDatabaseAuthenticationHandler",
>>>>>>>> ...
>>>>>>>> }
>>>>>>>>
>>>>>>>> From these, we require the surrogate* attributes.
>>>>>>>> Is it the intended behavior that these attributes are missing now?
>>>>>>>> Is there any configuration setting to get them back into the JWT access
>>>>>>>> token?
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Udo
>>>>>>>>
>>>>>>> --
>>>> - Website: https://apereo.github.io/cas
>>>> - List Guidelines: https://goo.gl/1VRrw7
>>>> - Contributions: https://goo.gl/mh7qDG
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "CAS Community" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to cas-user+u...@apereo.org.
>>>> To view this discussion visit
>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c668dd93-9e94-4ecf-8533-ef188ffdd7c8n%40apereo.org
>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/c668dd93-9e94-4ecf-8533-ef188ffdd7c8n%40apereo.org?utm_medium=email&utm_source=footer>
>>>> .
>>>>
>>> --
>> - Website: https://apereo.github.io/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/57d80559-a171-443e-bbbb-09c34ace03abn%40apereo.org
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/57d80559-a171-443e-bbbb-09c34ace03abn%40apereo.org?utm_medium=email&utm_source=footer>
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAENLzab5Sw%3DebVzypX5_h7v7vFO79gGUpPbZAj7pZDS3y5V-Rw%40mail.gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAENLzab5Sw%3DebVzypX5_h7v7vFO79gGUpPbZAj7pZDS3y5V-Rw%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>
--
Jonathon Taylor (he/him)
Information Security Office
jonath...@berkeley.edu
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABzqDo-wkm%2BJA3nVZ0YAUxc-KzK_vANKEmWpprL1UVd94uZZ8Q%40mail.gmail.com.
