CAS 7 and OIDC problems
407 views
Skip to first unread message
spfma...@e.mail.fr
Jan 17, 2024, 5:25:15 AM1/17/24
to cas-...@apereo.org
Hi,
I am trying to setup OIDC module, and I experience some problems.
My CAS server (let's name it "appserver.my.domain") is running on port 8080, with HAProxy exposing public URLs (let's name it "public.my.domain").
So after rebuilding the webapp including "org.apereo.cas:cas-server-support-oidc", I have added the following lines to my working "cas.properties" :
cas.authn.oauth.crypto.encryption.key=0ZJCKvFSVO6PUKlzUqWzE5eXDerK_T7G1oSfGHfaAGM
cas.authn.oauth.crypto.signing.key=_d6j3pacsAy_V7WP55RB-H0HtwfSawKav6aV8rUPuRPBDqDhAeJXpqjrtZwqTiUPkNOz2jcb5nLqJJ73ygqROw
cas.authn.oauth.access-token.crypto.encryption.key=8wK97XDbYzeDhSzZgfcFWp3SHW_Lr-h69cGtWYZjJz0
cas.authn.oauth.crypto.signing.key=_d6j3pacsAy_V7WP55RB-H0HtwfSawKav6aV8rUPuRPBDqDhAeJXpqjrtZwqTiUPkNOz2jcb5nLqJJ73ygqROw
cas.authn.oauth.access-token.crypto.encryption.key=8wK97XDbYzeDhSzZgfcFWp3SHW_Lr-h69cGtWYZjJz0
cas.authn.oidc.core.issuer=https://public.my.domain/cas/oidc
cas.authn.oidc.core.accepted-issuers-pattern=http:\/\/.*
cas.authn.oidc.core.accepted-issuers-pattern=http:\/\/.*
The last line is the only syntax I have found accepting both "https://public.my.domain/cas/oidc" and "http://appserver.my.domain:8080/cas/oidc" as valid issuers, otherwise requests are denied.
Is it Ok ?
Then I have then added a basic servcice :
{
"@class" : "org.apereo.cas.services.OidcRegisteredService",
"scopes" : [ "java.util.HashSet", [ "profile", "openid", "email" ] ],
"clientId": "client",
"clientSecret": "secret",
"serviceId" : "http://localhost:8080/(.*)",
"name" : "test",
"id" : 2,
"idTokenIssuer": "https://public.my.domain/cas/oidc"
}
"@class" : "org.apereo.cas.services.OidcRegisteredService",
"scopes" : [ "java.util.HashSet", [ "profile", "openid", "email" ] ],
"clientId": "client",
"clientSecret": "secret",
"serviceId" : "http://localhost:8080/(.*)",
"name" : "test",
"id" : 2,
"idTokenIssuer": "https://public.my.domain/cas/oidc"
}
It seems to be working :
2024-01-17 11:04:01,722 DEBUG [org.apereo.cas.services.resource.AbstractResourceBasedServiceRegistry] - <Attempting to read and parse [/etc/cas/services/002_OIDC.json]>
2024-01-17 11:04:01,722 DEBUG [org.apereo.cas.services.resource.AbstractResourceBasedServiceRegistry] - <Attempting to read and parse [/etc/cas/services/002_OIDC.json]>
2024-01-17 11:04:01,722 DEBUG [org.apereo.cas.oidc.services.OidcServiceRegistryListener] - <Scope [openid] is found for service [2]>
2024-01-17 11:04:01,722 DEBUG [org.apereo.cas.oidc.services.OidcServiceRegistryListener] - <Mapped [email] to attribute release policy [OidcEmailScopeAttributeReleasePolicy]>
2024-01-17 11:04:01,722 DEBUG [org.apereo.cas.oidc.services.OidcServiceRegistryListener] - <Mapped [profile] to attribute release policy [OidcProfileScopeAttributeReleasePolicy]>
2024-01-17 11:04:01,722 DEBUG [org.apereo.cas.services.resource.AbstractResourceBasedServiceRegistry] - <Attempting to read and parse [/etc/cas/services/002_OIDC.json]>
2024-01-17 11:04:01,722 DEBUG [org.apereo.cas.oidc.services.OidcServiceRegistryListener] - <Scope [openid] is found for service [2]>
2024-01-17 11:04:01,722 DEBUG [org.apereo.cas.oidc.services.OidcServiceRegistryListener] - <Mapped [email] to attribute release policy [OidcEmailScopeAttributeReleasePolicy]>
2024-01-17 11:04:01,722 DEBUG [org.apereo.cas.oidc.services.OidcServiceRegistryListener] - <Mapped [profile] to attribute release policy [OidcProfileScopeAttributeReleasePolicy]>
The RP is a Docker image I have found here : https://hub.docker.com/r/leplusorg/openid-connect-provider-debugger
When I try to reach the app's main URL (http://localhost:8080/), I am redirected to CAS but I get the follwing exception : "java.lang.IllegalArgumentException: Unable to locate authentication profile"
And on server side :
2024-01-17 11:03:48,217 DEBUG [org.springframework.security.web.FilterChainProxy] - <Securing GET /oidc/oidcAuthorize?nonce=cddf2055bdb501ea76a4d95d9a58d2ba&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&scope=openid%20email%20profile&client_id=client&state=813b1409ca966667f5f820e6923ff284>
2024-01-17 11:03:48,217 DEBUG [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping] - <Mapped to org.apereo.cas.oidc.web.controllers.authorize.OidcAuthorizeEndpointController#handleRequest(HttpServletRequest, HttpServletResponse)>
2024-01-17 11:03:48,218 DEBUG [org.springframework.security.web.FilterChainProxy] - <Secured GET /oidc/oidcAuthorize?nonce=cddf2055bdb501ea76a4d95d9a58d2ba&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&scope=openid%20email%20profile&client_id=client&state=813b1409ca966667f5f820e6923ff284>
2024-01-17 11:03:48,218 DEBUG [org.springframework.web.servlet.DispatcherServlet] - <GET "/cas/oidc/oidcAuthorize?nonce=cddf2055bdb501ea76a4d95d9a58d2ba&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&scope=openid%20email%20profile&client_id=client&state=813b1409ca966667f5f820e6923ff284", parameters={masked}>
2024-01-17 11:03:48,218 DEBUG [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping] - <Mapped to org.apereo.cas.oidc.web.controllers.authorize.OidcAuthorizeEndpointController#handleRequest(HttpServletRequest, HttpServletResponse)>
2024-01-17 11:03:48,220 DEBUG [org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the received exception [java.lang.IllegalArgumentException: Unable to locate authentication profile] due to a type mismatch with handler [org.apereo.cas.oidc.web.controllers.authorize.OidcAuthorizeEndpointController#handleRequest(HttpServletRequest, HttpServletResponse)]>
2024-01-17 11:03:48,220 DEBUG [org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the received exception [java.lang.IllegalArgumentException: Unable to locate authentication profile] due to a type mismatch with handler [org.apereo.cas.oidc.web.controllers.authorize.OidcAuthorizeEndpointController#handleRequest(HttpServletRequest, HttpServletResponse)]>
at org.apereo.cas.oidc.web.controllers.authorize.OidcAuthorizeEndpointController.handleRequest(OidcAuthorizeEndpointController.java:58) ~[cas-server-support-oidc-core-api-6.6.10.jar!/:6.6.10]
2024-01-17 11:03:48,217 DEBUG [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping] - <Mapped to org.apereo.cas.oidc.web.controllers.authorize.OidcAuthorizeEndpointController#handleRequest(HttpServletRequest, HttpServletResponse)>
2024-01-17 11:03:48,218 DEBUG [org.springframework.security.web.FilterChainProxy] - <Secured GET /oidc/oidcAuthorize?nonce=cddf2055bdb501ea76a4d95d9a58d2ba&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&scope=openid%20email%20profile&client_id=client&state=813b1409ca966667f5f820e6923ff284>
2024-01-17 11:03:48,218 DEBUG [org.springframework.web.servlet.DispatcherServlet] - <GET "/cas/oidc/oidcAuthorize?nonce=cddf2055bdb501ea76a4d95d9a58d2ba&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&scope=openid%20email%20profile&client_id=client&state=813b1409ca966667f5f820e6923ff284", parameters={masked}>
2024-01-17 11:03:48,218 DEBUG [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping] - <Mapped to org.apereo.cas.oidc.web.controllers.authorize.OidcAuthorizeEndpointController#handleRequest(HttpServletRequest, HttpServletResponse)>
2024-01-17 11:03:48,220 DEBUG [org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the received exception [java.lang.IllegalArgumentException: Unable to locate authentication profile] due to a type mismatch with handler [org.apereo.cas.oidc.web.controllers.authorize.OidcAuthorizeEndpointController#handleRequest(HttpServletRequest, HttpServletResponse)]>
2024-01-17 11:03:48,220 DEBUG [org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the received exception [java.lang.IllegalArgumentException: Unable to locate authentication profile] due to a type mismatch with handler [org.apereo.cas.oidc.web.controllers.authorize.OidcAuthorizeEndpointController#handleRequest(HttpServletRequest, HttpServletResponse)]>
at org.apereo.cas.oidc.web.controllers.authorize.OidcAuthorizeEndpointController.handleRequest(OidcAuthorizeEndpointController.java:58) ~[cas-server-support-oidc-core-api-6.6.10.jar!/:6.6.10]
Can someone tell me what this error clearly means ? I had a look at the source code, but found nothing obvious.
Is there something wrong or missing with the configuration above ?
Thanks for any kind of help
Regards
FreeMail powered by mail.fr
Ray Bon
Jan 17, 2024, 9:34:38 PM1/17/24
to cas-...@apereo.org
spfma...@e.mail.fr
Jan 18, 2024, 5:27:20 AM1/18/24
to cas-...@apereo.org
Hi Ray,
Thanks for your answer but it looks even more mysterious than the error message itself :-))
Regards
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4c680c3bcde06bdc62b7f8d992a445829ddcd322.camel%40uvic.ca.
King, Robert
Jan 18, 2024, 9:00:17 AM1/18/24
to cas-...@apereo.org
It appears as if the cas-user list maybe stripping some folks email responses. There has be a few of these over the last week.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/31eff6e6bd4d1d28f2426b8946f72c47b043f307%40mail.de.
Ray Bon
Jan 18, 2024, 3:32:27 PM1/18/24
to cas-...@apereo.org
Let us try this again.
Cas does not need to know about appserver.my.domain; only HAProxy needs this.
cas.server.scope=public.my.domain
cas.server.name=https://${cas.server.scope}
cas.server.prefix=${cas.server.name}/cas
cas.authn.oidc.core.issuer=${cas.server.prefix}/oidc
Are you missing this config item (if missing, it should not be related to this problem):
cas.authn.oauth.access-token.crypto.signing.key
Your title says cas 7 but your log says 6.6. Could there be a library conflict?
Ray
On Wed, 2024-01-17 at 11:10 +0100, spfma.tech via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
spfma...@e.mail.fr
Jan 19, 2024, 3:13:57 PM1/19/24
to cas-...@apereo.org
Hi,
Thanks for retrying.
About version, it was a typo. I am noodling with a snapshot of V7sometimes but this was indeed running with 6.6.10.
Your configuration directives helped me realize we never used "cas.server.scope" in our config file, and this structure of variables looks clear and nice.
So I adopted it and for some unknown reason, I had the idea of removing the "s" from the protocol in "cas.server.name" as there is no TLS on "appserver".
And guess what ... it worked, I know have a login flow with login and authorization.
But honestly, the error message was not giving any clue !
What "authentication profile" is it about ? The oAuth2 part of OIDC, unavailable because the OIDC issuer could not be reached because the issuer URL is bad ?
The relevant code in "support/cas-server-support-oauth-core-api/src/main/java/org/apereo/cas/support/oauth/web/endpoints/OAuth20AuthorizeEndpointController.java" did not give me any clear explanation, only guesses :
protected ModelAndView redirectToCallbackRedirectUrl(final ProfileManager manager,
final OAuthRegisteredService registeredService,
final JEEContext context) {
val profile = manager.getProfile().orElseThrow(() -> new IllegalArgumentException("Unable to locate authentication profile"));
val service = getConfigurationContext().getAuthenticationBuilder()
.buildService(registeredService, context, false);
LOGGER.trace("Created service [{}] based on registered service [{}]", service, registeredService);
final OAuthRegisteredService registeredService,
final JEEContext context) {
val profile = manager.getProfile().orElseThrow(() -> new IllegalArgumentException("Unable to locate authentication profile"));
val service = getConfigurationContext().getAuthenticationBuilder()
.buildService(registeredService, context, false);
LOGGER.trace("Created service [{}] based on registered service [{}]", service, registeredService);
Anyway, I was able to make one step forward, thank you very much.
Regards
Reply all
Reply to author
Forward
0 new messages