search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
13.59k stars 909 forks source link

Federate login with Apereo CAS via OAuth2, but still need to input username. #3970

Open W0n9 opened 2 years ago

W0n9 commented 2 years ago

Describe your question

I have an Apereo CAS Server, and I want to make it as a user source works together with authentik.

I have tried add CAS Sever as OpenID OAuth Source in authentik, it works. But after login success in CAS, authentik still needs to prompt username/email, even though CAS Sever return these datas.

I think it may caused by authentik don't fit data format returned by Apereo CAS Server.

Can I customize which key mapped into other key? Or how can I sovle this problem?

Relevant infos Apereo CAS Server 5.3.0, and here is it docs about OAuth2.

Here is an example data of Apereo CAS Server returned:

{
  "id": "casuser",
  "attributes": {
    "email": "casuser@example.org",
    "name": "CAS"
  },
  "something": "else"
}

Screenshots image

Version and Deployment (please complete the following information):

BeryJu commented 2 years ago

You can add an expression policy to the enrollment flow you have on the source that does this, for example:

# context["oauth_userinfo"] will contain the raw response of the OpenID User info endpoint
# context["prompt_data"] contains the mapped info, and the default source enroll flow checks for `username` to be set
context["prompt_data"]["username"] = context["oauth_userinfo"]["something"]
return True
W0n9 commented 2 years ago

You can add an expression policy to the enrollment flow you have on the source that does this, for example:

# context["oauth_userinfo"] will contain the raw response of the OpenID User info endpoint
# context["prompt_data"] contains the mapped info, and the default source enroll flow checks for `username` to be set
context["prompt_data"]["username"] = context["oauth_userinfo"]["something"]
return True

Here is my expression policy:

context["prompt_data"]["username"] = context["oauth_userinfo"]["attributes"]["name"]
return True

I have tried this, but it raised an error.

Policy exception

Traceback (most recent call last):
  File "BUCT-enrollment-if-username", line 6, in <module>
  File "BUCT-enrollment-if-username", line 4, in handler
builtins.KeyError: 'oauth_userinfo'

It seems that authentik can`t parse CAS returned data, so there is no key called oauth_userinfo in context.