Help with Email and Username when logging in with Google or Facebook using CAS S

You should be able to inspect the attributes your CAS server returns and find out which one contains the user’s email address(es), and then specify that attribute in the CAS attribute containing email address setting in Authorizer.

Conversely, if you have access to configure your CAS server directly, you can specify that attribute. Normally it is mail.

I’ve never used pac4j before, so let us know what you find out so it can help others in similar situations!

Hello Paul, Thank you for answering me, without a doubt when you solve this, I will tell you the solution

Do you have any idea how I can do to see the data that is coming to wordpress, since I know what I am sending, and in the Authorizer configuration, I am placing the name of the email field that I am Sending from my cas server, I am placing it correctly, do you know in any way where I can write in the log, or see a message, or some other way, so I can see what is data coming to wordpress?

Aloha, you can hook into authorizer_automatically_approve_login and inspect the 2nd parameter, $user_data, to see the data returned from the CAS server.

Here’s an example from the readme:
https://github.com/uhm-coe/authorizer/blob/fd8b2840596870f0486d40e25a3eeb92481002a3/readme.txt#L340-L358

In your hook you can then throw in some debugging lines, like error_log( print_r( $variable_to_inspect, true ) );

Hope that helps!

Hello again, I have been able to advance a lot, basically what I had to do to send the email from my server cas to the wordpress client, was to add in my service:

“attributeReleasePolicy”: {
“@class”: “org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy”,
“allowedAttributes”: [“java.util.ArrayList”, [“email”, “name”, “first_name”, “last_name”]]

But now the problem I have is the following and here comes my question:
In email are add it correctly, but I also need the username and alias to be the same email, please see the screenshot here: https://drive.google.com/file/d/1Sq0psl1XorhwaCMmpAbcG83NN_aSscD5/view?usp=sharing

The other thing is that the name and surname even though he sent it, he is not take it correctly, leaves it empty.
This is my log:

<cas:authenticationSuccess>
5492 .|    |    |    |    |    |            <cas:user>org.pac4j.oauth.profile.google2.Google2Profile#11</cas:user>
5492 .|    |    |    |    |    |            <cas:attributes>
5492 .|    |    |    |    |    |                <cas:credentialType>ClientCredential</cas:credentialType>
5492 .|    |    |    |    |    |                <cas:isFromNewLogin>true</cas:isFromNewLogin>
5492 .|    |    |    |    |    |                <cas:authenticationDate>2021-08-23T19:05:44.243281Z</cas:authenticationDate>
5492 .|    |    |    |    |    |                <cas:authenticationMethod>DelegatedClientAuthenticationHandler</cas:authenticationMethod>
5492 .|    |    |    |    |    |                <cas:clientName>Google</cas:clientName>
5492 .|    |    |    |    |    |                <cas:successfulAuthenticationHandlers>DelegatedClientAuthenticationHandler</cas:successfulAuthenticationHandlers>
5492 .|    |    |    |    |    |                <cas:name>Fernando Gonzalez</cas:name>
5492 .|    |    |    |    |    |                <cas:longTermAuthenticationRequestTokenUsed>false</cas:longTermAuthenticationRequestTokenUsed>
5492 .|    |    |    |    |    |                <cas:email>[email protected]</cas:email>
5492 .|    |    |    |    |    |                </cas:attributes>
5492 .|    |    |    |    |    |        </cas:authenticationSuccess>
5492 .|    |    |    |    |    |    </cas:serviceResponse>
5492 .|    |    |    |    |    |    
5492 .|    |    |    |    |    |     [CurlRequest.php:84]
5492 .|    |    |    |    |    <= true
5492 .|    |    |    |    <= true
5492 .|    |    |    |    => CAS_Client::_readExtraAttributesCas20(DOMNodeList) [Client.php:3470]
5492 .|    |    |    |    |    Parse extra attributes:     [Client.php:3822]
5492 .|    |    |    |    |    Array
5492 .|    |    |    |    |    (
5492 .|    |    |    |    |        [attributes] => Array
5492 .|    |    |    |    |            (
5492 .|    |    |    |    |                [credentialType] => ClientCredential
5492 .|    |    |    |    |                [isFromNewLogin] => true
5492 .|    |    |    |    |                [authenticationDate] => 2021-08-23T19:05:44.243281Z
5492 .|    |    |    |    |                [authenticationMethod] => DelegatedClientAuthenticationHandler
5492 .|    |    |    |    |                [clientName] => Google
5492 .|    |    |    |    |                [successfulAuthenticationHandlers] => DelegatedClientAuthenticationHandler
5492 .|    |    |    |    |                [name] => Fernando Gonzalez
5492 .|    |    |    |    |                [longTermAuthenticationRequestTokenUsed] => false
5492 .|    |    |    |    |                [email] => [email protected]
5492 .|    |    |    |    |            )

What I can do?
Thank you very much in advance.!!

It looks like the last piece missing is configuring your CAS server to return a username or email address in the cas:user attribute instead of something like org.pac4j.oauth.profile.google2.Google2Profile#11

Authorizer uses the phpCAS::getUser() function to retrieve the username, and uses that to create the WP_User
https://apereo.github.io/phpCAS/api/group__publicAuth.html#ga4c9f984b474b550cf316396e87670b18
https://github.com/uhm-coe/authorizer/blob/fd8b2840596870f0486d40e25a3eeb92481002a3/src/authorizer/class-authentication.php#L810-L811

I haven’t actually configured a CAS server before, so I’m just guessing here. But maybe you can get at the email address with:
https://www.pac4j.org/apidocs/pac4j/3.4.0/org/pac4j/oauth/profile/google2/Google2Profile.html#getEmail–

The cas-user mailing list might be able to offer some help too!
https://apereo.atlassian.net/wiki/spaces/JSG/pages/96501870/cas-user

Perfect I am clear about what you tell me, please one more question, where do you map the data that I get from the CAS server, with the wordpress user, I need to make a request to a service of mine, before I map your plugin , with my updated data.

Thx!!!!

Here is an example showing how to change the role of the user logging in based on some of their CAS attributes in the authorizer_custom_role hook:
https://github.com/uhm-coe/authorizer/wiki/Integrating-WordPress-Roles-with-UH-Groupings#step-4-add-your-integration-code-to-your-wordpress-theme

In your case, I would use that same filter hook (in your theme’s functions.php file, or wherever you prefer). Something like:

function authorizer_update_user_attributes( $default_role, $user_data ) {
	if ( ! empty( $user_data['email'] ) ) {
		if ( ! is_array( $user_data['email'] ) ) {
			$user_data['email'] = array( $user_data['email'] );
		}
		foreach ( $user_data['email'] as $email ) {
			$user = get_user_by( 'email', $email );
			if ( false === $user ) {
				continue;
			}

			// Custom logic here to map any $user_data['cas_attributes'] to user meta.
			// Example:
			update_user_meta( 
				$user->ID, 
				'your_custom_user_meta', 
				$user_data['cas_attributes']['your_cas_attribute'] 
			);
		}
	}

	return $default_role;
}
add_filter( 'authorizer_custom_role', 'authorizer_update_user_attributes', 10, 2 );

Note: this will only work for existing users (new user’s won’t have a WP_User created yet). If you want to do the same for new users, you can hook into authorizer_user_register and inspect the CAS attributes there, and do your custom logic. See:
https://github.com/uhm-coe/authorizer/blob/fd8b2840596870f0486d40e25a3eeb92481002a3/src/authorizer/class-authorization.php#L268-L287