Hi,
I'm upgrading to CAS 6.5.0 with delegated authentication to Azure AD using OAuth.
I'm load testing it using a second CAS instance as a "mock" OAuth end point rather than AAD. We've already hit several bugs [1], [2] on previous releases with threading issues under load.
The load test:
- Steps through an OAuth login
- Validates the ticket
- Obtains a proxy IOU, retrieves the proxy ticket itself, and validates this.
- "Logs in" again but this time it already has a SSO session so no OAuth
- Validates this ticket.
Release 6.5.0 seemed to fix most problems. My load tests run OK at 500 logins/min but above this I'm getting errors:
WARN [org.apereo.cas.DefaultCentralAuthenticationService] - <Service ticket [xxxxxxxxxxxxx] does not exist.>
And the client gets:
<cas:authenticationFailure code="INVALID_TICKET">Ticket 'ST-8315-5xte-xOJmYBrgw1IGLe5Tzqxu20-IT080096' not recognized</cas:authenticationFailure>
This looks similar to the bug [2] where the same ticket was given to multiple clients, and it was then a race which of them validated it first.
CAS doesn't seem to have any sort of issue tracker on Github so I can't see how to raise this, but given the previous bugs it seems likely there are still threading issues.
Has anyone else encountered this, or know of any workaround? I've spent a huge amount of time testing this now, I don't know if we are going to be able to upgrade our CAS instance at all now unless I can find some resolution to this!
Thanks,
Mark van Rossum