CAS 6.1-RC4 OIDC configuration

Mallory, Erik

unread,

Aug 26, 2019, 5:53:51 PM8/26/19

to cas-...@apereo.org

Hello,
I'm trying to configure oAuth/OIDC and I'm running into a head scratcher.
The CAS oidc/.well-known endpoint returns cas.example.org:8443 for all of the related endpoints.
Example:
{"issuer":"http://cas-dev.wichita.edu/cas/oidc","scopes_supported":["openid","profile","email","address","phone","offline_access"],"response_types_supported":["code","token","id_token token"],"subject_types_supported":["public","pairwise"],"claim_types_supported":["normal"],"claims_supported":["sub","name","preferred_username","family_name","given_name","middle_name","given_name","profile","picture","nickname","website","zoneinfo","locale","updated_at","birthdate","email","email_verified","phone_number","phone_number_verified","address","gender"],"grant_types_supported":["authorization_code","password","client_credentials","refresh_token"],"id_token_signing_alg_values_supported":["none","RS256","RS384","RS512","PS256","PS384","PS512","ES256","ES384","ES512","HS256","HS384","HS512"],"id_token_encryption_alg_values_supported":["RSA1_5","RSA-OAEP","RSA-OAEP-256","A128KW","A192KW","A256KW","A128GCMKW","A192GCMKW","A256GCMKW","ECDH-ES","ECDH-ES+A128KW","ECDH-ES+A192KW","ECDH-ES+A256KW"],"id_token_encryption_enc_values_supported":["A128CBC-HS256","A192CBC-HS384","A256CBC-HS512","A128GCM","A192GCM","A256GCM"],"userinfo_signing_alg_values_supported":["none","RS256","RS384","RS512","PS256","PS384","PS512","ES256","ES384","ES512","HS256","HS384","HS512"],"userinfo_encryption_alg_values_supported":["RSA1_5","RSA-OAEP","RSA-OAEP-256","A128KW","A192KW","A256KW","A128GCMKW","A192GCMKW","A256GCMKW","ECDH-ES","ECDH-ES+A128KW","ECDH-ES+A192KW","ECDH-ES+A256KW"],"userinfo_encryption_enc_values_supported":["A128CBC-HS256","A192CBC-HS384","A256CBC-HS512","A128GCM","A192GCM","A256GCM"],"introspection_endpoint_auth_methods_supported":["client_secret_basic"],"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt"],"claims_parameter_supported":true,"request_parameter_supported":false,"authorization_endpoint":"https://cas.example.org:8443/cas/oidc/authorize","token_endpoint":"https://cas.example.org:8443/cas/oidc/accessToken","userinfo_endpoint":"https://cas.example.org:8443/cas/oidc/profile","registration_endpoint":"https://cas.example.org:8443/cas/oidc/register","end_session_endpoint":"https://cas.example.org:8443/cas/oidc/logout","introspection_endpoint":"https://cas.example.org:8443/cas/oidc/introspect","revocation_endpoint":"https://cas.example.org:8443/cas/oidc/revoke","jwks_uri":"https://cas.example.org:8443/cas/oidc/jwks"}

I thought this value was controlled by the cas.server.name property. But I guess it's elsewhere?

server.context-path=/cas
server.port=443
cas.server.name=https://cas-dev.wichita.edu
cas.server.prefix=https://cas-dev.wichita.edu/cas
cas.host.name=cas-dev.wichita.edu

Hopefully someone can shine a light on this for me.
Thanks,
Erik Mallory
Server Analyst
Wichita State University

Misagh Moayyed

unread,

Aug 27, 2019, 3:59:44 AM8/27/19

to CAS Community

Have you defined an issuer?

https://apereo.github.io/cas/development/configuration/Configuration-Properties.html#openid-connect

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/3B7E953C-586C-41E3-BB3A-73A53D433AB0%40wichita.edu.

Mallory, Erik

unread,

Aug 27, 2019, 5:00:44 PM8/27/19

to cas-...@apereo.org

Yes.

# OpenID Authentication

cas.authn.oidc.issuer=http://cas-dev.wichita.edu/cas/oidc

# Skew ID tokens in minutes

cas.authn.oidc.skew=5

cas.authn.oidc.jwksFile=file:/etc/cas/config/keystore.jwks

cas.authn.oidc.jwksCacheInMinutes=60

#cas.authn.oidc.dynamicClientRegistrationMode=OPEN|PROTECTED

cas.authn.oidc.dynamicClientRegistrationMode=PROTECTED

cas.authn.oidc.subjectTypes=public,pairwise

Erik Mallory

Server Analyst

Wichita State University

316.978.3502

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/375F9DAF-027B-4CE0-A5F3-AE84255B3C99%40gmail.com.

Misagh Moayyed

unread,

Aug 28, 2019, 4:35:29 AM8/28/19

to CAS Community

Are you certain your configuration values are not overridden by something else?

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/E63C583B-638A-4E54-A7C4-BC772DF53CB2%40wichita.edu.

Mallory, Erik

unread,

Aug 28, 2019, 2:04:13 PM8/28/19

to cas-...@apereo.org

I double checked that I didn’t have an errant file somewhere that would override the config. I un jared the cas.war file and grepped for cas.example.org JIC.

All settings are loaded from the location below. CAS is running with embedded tomcat and is started by systemd.

# The configuration directory where CAS should monitor to locate settings.

spring.cloud.config.server.native.searchLocations=file:///etc/cas/config

/bin/java --add-modules java.se --add-exports java.base/jdk.internal.ref=ALL-UNNAMED --add-opens java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.nio=ALL-UNNAMED --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.management/sun.management=ALL-UNNAMED --add-opens jdk.management/com.sun.management.internal=ALL-UNNAMED -Dhttp.proxySet=true -Dhttps.proxySet=true -Dhttp.proxyHost=proxysvc-501.wichita.edu -Dhttps.proxyHost=proxysvc-501.wichita.edu -Dhttp.proxyPort=8080 -Dhttps.proxyPort=8080 -Djava.util.logging.config.file=/etc/cas/config/logging.properties -jar /data/cas/bin/cas.war

Thanks Again,

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/DF7A72D8-CDF2-4BDA-B302-8A9E5A1A9E48%40gmail.com.

Mallory, Erik

unread,

Aug 28, 2019, 3:37:51 PM8/28/19

to cas-...@apereo.org

I did find these…

cd /etc/

[root@appdev-523 etc]# grep -r cas.example *

cas/config/services/RegexRegisteredService-8396761148980578304.json: serviceId: https://cas.example.org:8443/cas/oauth2.0/callbackAuthorize.*

cas/config/services/RegexRegisteredService-7398083621929947136.json: serviceId: https://cas.example.org:8443/cas/oauth2.0/callbackAuthorize.*

cas/config/services/RegexRegisteredService-1905997417559537664.json: serviceId: https://cas.example.org:8443/cas/oauth2.0/callbackAuthorize.*

cas/config/services/RegexRegisteredService-4418765845257222144.json: serviceId: https://cas.example.org:8443/cas/oauth2.0/callbackAuthorize.*

cas/config/services/RegexRegisteredService-5291673557665746944.json: serviceId: https://cas.example.org:8443/cas/oauth2.0/callbackAuthorize.*

cas/config/services/RegexRegisteredService-7671336329000167424.json: serviceId: https://cas.example.org:8443/cas/oauth2.0/callbackAuthorize.*

These are apparently auto-generated. As far as I know I have not configured CAS to create these service entries, nor do they show up in the management interface.

The time stamps on the files appear to be related to restarts. This may be by design. I still can’t find the bit to set the proper server name though.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1FA38A82-12AA-4D92-BE6F-25755490942A%40wichita.edu.

Reply all

Reply to author

Forward