当非默认用户名属性用于 OAUTH 服务时,CAS 为 OIDC 服务提供非确定性用户名属性
我想知道我是否误解了 usernameAttributeProvider 的预期行为,或者它是否是一个错误(以及是否有替代解决方案)。 我有以下服务:
{
"@class": "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
...
"usernameAttributeProvider": {
"@class": "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute": "uidNumber",
"canonicalizationMode": "NONE"
},
...
}
目标是为此服务提供另一个标识符 (uidNumber),而不是用于其他服务的标识符(其他服务的默认标识符是 uid)。 注意:(uid 和 uidNumber)都来自 LDAP。
这运行良好(我可以连接到该服务),但我检测到了意外行为。 当用户连接到上述服务时,在 CAS 日志中,WHO: 是除 之外的每个 ,它是 ACTION 的 uid SERVICE_TICKET_VALIDATEDuidNumber。 连接到上述服务后(并且仅在连接到该特定服务后),如果用户访问 OidcRegisteredService 服务,sub OIDC 响应中的内容是 uidNumber,而它期望接收 uid(这导致无法对用户进行身份验证)。 OidcRegisteredService 服务配置不为 usernameAttribute 提供任何特定配置:
{
"@class": "org.apereo.cas.services.OidcRegisteredService",
"serviceId": "...",
"name": "...",
"id": ...,
"clientId": "...",
"clientSecret": "...",
"bypassApprovalPrompt": true,
"scopes": ["java.util.HashSet", ["openid", "profile", "email", "offline_access"]]
}
这意味着根据用户是否连接到第一个描述的 OAuthRegisteredService,他可以连接到是否使用 OidcRegisteredService 服务。 请注意,它不会影响其他 RegexRegisteredService 服务或指定其自己的 usernameAttributeProvider 的 SamlRegisteredService。
我还尝试强制 usernameAttributeProvider:它不会改变 sub 中收到的内容(仍然是 uid 或 uidNumber > 取决于用户之前是否连接到 OAuthRegisteredService):
{
"@class": "org.apereo.cas.services.OidcRegisteredService",
"serviceId": "...",
"name": "...",
"id": ...,
"clientId": "...",
"clientSecret": "...",
"bypassApprovalPrompt": true,
"scopes": ["java.util.HashSet", ["openid", "profile", "email", "offline_access"]],
"usernameAttributeProvider": {
"@class": "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute": "uid"
}
}
注意:CAS 版本是 5.2.7
我是否遗漏了什么?
I was wondering if I'm miss-understanding the expected behavior of usernameAttributeProvider or if it's a bug (and if there is an alternate solution).
I have the following service:
{
"@class": "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
...
"usernameAttributeProvider": {
"@class": "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute": "uidNumber",
"canonicalizationMode": "NONE"
},
...
}
The goal is to provide to this service another identifier (uidNumber) than the one used for other services (default identifier for other services is uid).
N.B.: both (uid and uidNumber) come from LDAP.
This works well (I can connect to the service), but I detected an unexpected behavior.
When a user connects to the above-mentioned service, in CAS logs, the WHO: is the uid for every ACTION except for SERVICE_TICKET_VALIDATED for which it is the uidNumber.
After connecting to the above-mentioned service (and only after connecting to this specific service), if the user accesses an OidcRegisteredService service, the sub in the OIDC response is the uidNumber whereas it is expecting to receive the uid (which makes it fail to authenticate the user). The OidcRegisteredService service configuration doesn't provide any specific config for the usernameAttribute:
{
"@class": "org.apereo.cas.services.OidcRegisteredService",
"serviceId": "...",
"name": "...",
"id": ...,
"clientId": "...",
"clientSecret": "...",
"bypassApprovalPrompt": true,
"scopes": ["java.util.HashSet", ["openid", "profile", "email", "offline_access"]]
}
That means that depending on whether the user connected to the first described OAuthRegisteredService or not, he can connect to the OidcRegisteredService service or not.
Note that it doesn't affect other RegexRegisteredService services or a SamlRegisteredService that specifies its own usernameAttributeProvider.
I also tried forcing the usernameAttributeProvider: it doesn't change what is received in the sub (still uid or uidNumber depending on whether the user connected to the OAuthRegisteredService before or not):
{
"@class": "org.apereo.cas.services.OidcRegisteredService",
"serviceId": "...",
"name": "...",
"id": ...,
"clientId": "...",
"clientSecret": "...",
"bypassApprovalPrompt": true,
"scopes": ["java.util.HashSet", ["openid", "profile", "email", "offline_access"]],
"usernameAttributeProvider": {
"@class": "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute": "uid"
}
}
N.B.: CAS version is 5.2.7
Am I missing something?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
你不是。最有可能的是,这是一个应该修复的错误,或者您可以自己修补服务器,因为您的 CAS 版本已停产多年。
修改 此行位于您的 CAS 叠加层中,并使用
service参数重新计算用户名/主题。You are not. Most likely, this is a bug that should be fixed, or you can patch server yourself since your CAS version has been EOL for many years.
Modify this line in your CAS overlay and use the
serviceparameter to re-calculate the username/subject.