CAS OIDC support - 6.2.5-SNAPSHOT
49 views
Skip to first unread message
Ritesh Tripathi
Nov 12, 2020, 8:57:04 AM11/12/20
to CAS Community
Folks
I am new to CAS and is trying to setup the CAS as OIDC provider for other services.
My limited understanding about CAS OIDC is as follows:
A. You make a call to required "server/cas/oidc/authorize" - with required parameters.
B. The CAS redirects the requests to "server/cas/oauth2.0/callbackAuthorize" end point.
C. You get the login page and upon successful authentication - a service ticket for "
/cas/oauth2.0/callbackAuthorize" is created for "
CasOAuthClient"
D. Once the service ticket has been validated by "/cas/oauth2.0/callbackAuthorize" , an access ticket - of the format as "OC-1-v0ukA6hDx1Wbv1jzyimIQFwL4EeMBPPX" is created for further process.
My issue is as follows:
1. After the successful service ticket validation for the
CasOAuthClient- rather than creation of access ticket - I am being redirected back to the login page.
The following are the lines - where i suspect the issue:
2020-11-12 11:11:33,632 DEBUG [org.apereo.cas.support.oauth.web.OAuth20CasCallbackUrlResolver] - <Final resolved callback URL is [http://server:8443/cas/oauth2.0/callbackAuthorize?client_id=apache_client&redirect_uri=http%3A%2F%2Fapache.server.com%2Fsecure%2Fredirect_uri&response_type=code]>
2020-11-12 11:11:33,632 DEBUG [org.apereo.cas.support.oauth.web.response.OAuth20DefaultCasClientRedirectActionBuilder] - <Final redirect url is [http://server:8443/cas/login?service=http%3A%2F%2Fleo.mytbits.com%3A8443%2Fcas%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3Dapache_client%26redirect_uri%3Dhttp%253A%252F%252Fapache.server.com%252Fsecure%252Fredirect_uri%26response_type%3Dcode%26client_name%3DCasOAuthClient]>
2020-11-12 11:11:33,632 DEBUG [org.apereo.cas.oidc.web.OidcCasClientRedirectActionBuilder] - <Final redirect action is [Optional[#HttpAction# | code: 302 |]]>
2020-11-12 11:11:33,872 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
2020-11-12 11:11:33,632 DEBUG [org.apereo.cas.support.oauth.web.response.OAuth20DefaultCasClientRedirectActionBuilder] - <Final redirect url is [http://server:8443/cas/login?service=http%3A%2F%2Fleo.mytbits.com%3A8443%2Fcas%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3Dapache_client%26redirect_uri%3Dhttp%253A%252F%252Fapache.server.com%252Fsecure%252Fredirect_uri%26response_type%3Dcode%26client_name%3DCasOAuthClient]>
2020-11-12 11:11:33,632 DEBUG [org.apereo.cas.oidc.web.OidcCasClientRedirectActionBuilder] - <Final redirect action is [Optional[#HttpAction# | code: 302 |]]>
2020-11-12 11:11:33,872 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
On my location machine - once we have done the service ticket validation - i am getting the lines:
=============================================================
WHO: root
WHAT: ST-1-XsNPfqOVinN5BrMSXNvENcWuD08-DESKTOP-GLUMAQ0 for http://localhost:8443/cas/oauth2.0/callbackAuthorize?client_id=client&redirect_uri=http%3A%2F%2Flocalhost%3A80%2Fsecure%2F...
ACTION: SERVICE_TICKET_VALIDATE_SUCCESS
APPLICATION: CAS
WHEN: Thu Nov 12 16:30:02 IST 2020
CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1
SERVER IP ADDRESS: 0:0:0:0:0:0:0:1
=============================================================
>
2020-11-12 16:30:02,509 DEBUG [org.apereo.cas.util.HttpRequestUtils] - <Found provided request parameter [client_id]>
2020-11-12 16:30:02,509 DEBUG [org.apereo.cas.util.HttpRequestUtils] - <Found provided request parameter [redirect_uri]>
2020-11-12 16:30:02,509 DEBUG [org.apereo.cas.util.HttpRequestUtils] - <Found provided request parameter [response_type]>
2020-11-12 16:30:02,509 DEBUG [org.apereo.cas.support.oauth.util.OAuth20Utils] - <Response type: [code]>
2020-11-12 16:30:02,510 DEBUG [org.apereo.cas.support.oauth.validator.authorization.OAuth20AuthorizationCodeResponseTypeAuthorizationRequestValidator] - <Locating registered service for client id [client]>
WHO: root
WHAT: ST-1-XsNPfqOVinN5BrMSXNvENcWuD08-DESKTOP-GLUMAQ0 for http://localhost:8443/cas/oauth2.0/callbackAuthorize?client_id=client&redirect_uri=http%3A%2F%2Flocalhost%3A80%2Fsecure%2F...
ACTION: SERVICE_TICKET_VALIDATE_SUCCESS
APPLICATION: CAS
WHEN: Thu Nov 12 16:30:02 IST 2020
CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1
SERVER IP ADDRESS: 0:0:0:0:0:0:0:1
=============================================================
>
2020-11-12 16:30:02,509 DEBUG [org.apereo.cas.util.HttpRequestUtils] - <Found provided request parameter [client_id]>
2020-11-12 16:30:02,509 DEBUG [org.apereo.cas.util.HttpRequestUtils] - <Found provided request parameter [redirect_uri]>
2020-11-12 16:30:02,509 DEBUG [org.apereo.cas.util.HttpRequestUtils] - <Found provided request parameter [response_type]>
2020-11-12 16:30:02,509 DEBUG [org.apereo.cas.support.oauth.util.OAuth20Utils] - <Response type: [code]>
2020-11-12 16:30:02,510 DEBUG [org.apereo.cas.support.oauth.validator.authorization.OAuth20AuthorizationCodeResponseTypeAuthorizationRequestValidator] - <Locating registered service for client id [client]>
And it proceeds with Access Token Creation.
I am running the same cas .war file on server and on my location machine and making the same GET Call to both.
Really perplexed why in one case - [on server where i m not running as localhost] I am stuck in endless loop of authentication.
Any idea's are welcome especially from people who have successfully implemented OIDC in CAS.
Thank you in Advance.
Ritesh
Ritesh Tripathi
Nov 18, 2020, 11:50:23 AM11/18/20
to CAS Community, Ritesh Tripathi
Summarizing the resolution for the benefit of others.
1. CAS Issues several cookies that are marked as "secure = true" by default at the time of SET-COOKIE Directives from server.
2. The secure cookies are sent back to the server - only when there is SSL connection.
3. I was trying to run cas without any SSL. So the server - was setting the cookies, however at the time of redirect - the secure cookie was not being sent. This made server assume that cookie didn't exist and redirected it back to authentication. This was what was leading to infinite loop during the CAS OIDC integration [you authenticate and then get back to login screen again].
4. The issue was resolved - when we shifted back to HTTPS Connection by implementing the SSL on CAS Server.
Hopefully - this helps someone else.
Reply all
Reply to author
Forward
0 new messages