pac4j + shiro Unable to extract user profile as no JSON node 'attributes' was found in body

Question

Getting ERROR [org.pac4j.oauth.profile.casoauthwrapper.CasOAuthWrapperProfileDefinition - Unable to extract user profile as no JSON node 'attributes' was found in body] when the profile returned from the server is:

{"oauthClientId":"123456789","org.apereo.cas.authentication.Authentication":
{"authenticationDate":"2023-12-13T22:08:07.919719Z","principal":
{"@class":"org.apereo.cas.authentication.principal.SimplePrincipal","id":"daniel","attributes":{"email":"daniel","first_name":"Daniel","last_name":"Cruz","memberOf":"developers,...,external-retailers","uid":"1"}},
"credentials":{"@class":"org.apereo.cas.authentication.metadata.BasicCredentialMetaData","id":"daniel","credentialClass":"org.apereo.cas.authentication.credential.RememberMeUsernamePasswordCredential","properties":{"UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15","GeoLocation":{}}},"attributes":{"clientIpAddress":"192.168.65.1","credentialType":"RememberMeUsernamePasswordCredential",...

It is obvious to me that the error is displaying exactly what the problem is. The "attributes" node should be at the same level as the "oauthClientId" node however it is nested under {"@class":"org.apereo.cas.authentication.principal.SimplePrincipal","id":"daniel","attributes"... obviously the class https://github.com/pac4j/pac4j/blob/0dfd6f7241d5adf392a2fb9912c7d8db861c967d/pac4j-oauth/src/main/java/org/pac4j/oauth/profile/casoauthwrapper/CasOAuthWrapperProfileDefinition.java#L57 is looking for it at the root level and it will never find it as it is nested. Reading the documentation at https://apereo.github.io/cas/6.6.x/integration/Attribute-Release.html I still can't figure out how to bring attributes to the top level (same level as "oauthClientid").

Shiro configuration is pretty straight forward:

[main]
oauthConfig = org.pac4j.oauth.config.OAuth20Configuration
oauthConfig.key = 123456789
oauthConfig.secret = jlkjkjfalkjasjfajslkjaljf9900122alsdjfadj
oauthClient = org.pac4j.oauth.client.CasOAuthWrapperClient
oauthClient.configuration = $oauthConfig
oauthClient.casOAuthUrl = https://localhost/cas/oauth2.0
oauthClient.casLogoutUrl = https://localhost/cas/logout

clients.callbackUrl = https://localhost/MyApp/callback
clients.clients = $oauthClient

casSecurityFilter = org.pac4j.jee.filter.SecurityFilter
casSecurityFilter.config = $config

callbackFilter = org.pac4j.jee.filter.CallbackFilter
callbackFilter.config = $config

[urls]
/secure/** = casSecurityFilter
/api/** = casSecurityFilter
/callback = callbackFilter
/logout = logout
/** = anon

jdk 14.0.2
Tomee: 8.0.14

Maven:

...
      <dependency>
         <groupId>io.buji</groupId>
         <artifactId>buji-pac4j</artifactId>
         <version>8.0.0</version>
      </dependency>
      <dependency>
         <groupId>org.pac4j</groupId>
         <artifactId>pac4j-cas</artifactId>
         <version>5.7.1</version>
      </dependency>
     <dependency>
          <groupId>org.pac4j</groupId>
          <artifactId>pac4j-oauth</artifactId>
          <version>5.7.0</version>
      </dependency>
      <dependency>
         <groupId>org.pac4j</groupId>
         <artifactId>pac4j-core</artifactId>
         <version>5.7.1</version>
      </dependency>
     <dependency>
       <groupId>org.pac4j</groupId>
       <artifactId>javaee-pac4j</artifactId>
       <version>7.1.0</version>
     </dependency>
...

Kind of stuck at this point with this one. Anyone have any luck with this configuration?

Answer 1

The CasOAuthWrapperClient may be too sensitive here and should support that kind of request.

The work-around solution is certainly to flatten the profile returned by the CAS server using this configuration: cas.authn.oauth.core.user-profile-view-type=FLAT