Authorize request verification fails with OAuth and CAS 5.0.x

1,048 views
Skip to first unread message

Todd Pratt

unread,
Dec 12, 2016, 4:51:17 PM12/12/16
to CAS Community
Hi,

I'm trying to setup OpenID/OAuth2 on CAS 5.0.x using the war overlay template.  I included three dependencies, cas-server-support-oidc, cas-server-support-ldap and cas-server-support-json-service-registry.  I built the management webapp using that overlay template and I successfully logged into the management app using the ldap authentication I setup.  Now I'm trying to setup a service provider for OpenID/OAuth2 and I keep getting an error page with my test application that says "Application Not Authorized to use CAS" instead of redirecting to the login page.  I've used this test client with other servers and it seems to work.  I enabled debugging and looking through the code it looks it found my provider I defined but then it fails at OAuth20AuthorizeController.isRequestAuthenticated() returns false.  The method isRequestAuthenticated() seems to look for a profile in the session which isn't there.  Is there something I'm missing?  Below is the portion of the log.


2016-12-12 13:09:40,226 DEBUG [org.apereo.cas.support.oauth.validator.OAuthValidator] - <client_id: fb3s86QV9QKl>
2016-12-12 13:09:40,227 DEBUG [org.apereo.cas.support.oauth.validator.OAuthValidator] - <redirect_uri: http://localhost:8080/oauth_client>
2016-12-12 13:09:40,227 DEBUG [org.apereo.cas.support.oauth.validator.OAuthValidator] - <response_type: code>
2016-12-12 13:09:40,227 DEBUG [org.apereo.cas.support.oauth.web.OAuth20AuthorizeController] - <Response type: code>
2016-12-12 13:09:40,228 DEBUG [org.apereo.cas.support.oauth.validator.OAuthValidator] - <Check registered service: org.apereo.cas.services.OidcRegisteredService@66d09fb6[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@2027a3cc[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseProxyGrantingTicket=false],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@f9e67c0[enabled=true,ssoEnabled=true,requireAllAttributes=false,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=<null>,proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@2e202d9f,logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@6dd174aa[multifactorAuthenticationProviders=[],failureMode=CLOSED,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,clientId=fb3s86QV9QKl,approvalPrompt=false,generateRefreshToken=false,jsonFormat=false,jwks=<null>,signIdToken=false]>
2016-12-12 13:09:40,228 DEBUG [org.apereo.cas.support.oauth.validator.OAuthValidator] - <Found: org.apereo.cas.services.OidcRegisteredService@66d09fb6[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@2027a3cc[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseProxyGrantingTicket=false],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@f9e67c0[enabled=true,ssoEnabled=true,requireAllAttributes=false,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=<null>,proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@2e202d9f,logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@6dd174aa[multifactorAuthenticationProviders=[],failureMode=CLOSED,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,clientId=fb3s86QV9QKl,approvalPrompt=false,generateRefreshToken=false,jsonFormat=false,jwks=<null>,signIdToken=false] vs redirectUri: http://localhost:8080/oauth_client>
2016-12-12 13:09:40,228 ERROR [org.apereo.cas.support.oauth.web.OAuth20AuthorizeController] - <Authorize request verification fails>


Thanks in advance for any help.

Misagh Moayyed

unread,
Dec 12, 2016, 5:45:42 PM12/12/16
to cas-...@apereo.org

Where or what is your client?

 

--Misagh

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e8e05206-aae0-49ef-949a-85675631b489%40apereo.org.

Todd Pratt

unread,
Dec 12, 2016, 7:58:19 PM12/12/16
to CAS Community, mmoa...@unicon.net
I'm using the google api.  I've used it with WSO2 and Salesforce.  Below is the snippet of code from the client I'm using and the JSON service provider file generated by the management app.  Let me know if there is anything else that would help. Thank you!


import com.google.api.client.auth.oauth2.*;

private static final String CLIENT_ID = "fb3s86QV9QKl";
private static final String CLIENT_SECRET = "VgWn3ysT24gZo66K";
private static final String CALLBACK_URI = "http://localhost:8080/oauth_client";

public void initialize() {
this.flow = new AuthorizationCodeFlow.Builder(BearerToken.authorizationHeaderAccessMethod(), HTTP_TRANSPORT, JSON_FACTORY, 
new BasicAuthentication(CLIENT_ID, CLIENT_SECRET), CLIENT_ID, "https://cas.mydomain.com:8443/cas/oauth2.0/authorize/").setScopes(Arrays.asList(new String[]{"openid"}))
.setCredentialDataStore(StoredCredential.getDefaultDataStore(new FileDataStoreFactory(new File("datastoredir"))))
.build();
}

public String buildLoginUrl() {
final AuthorizationCodeRequestUrl url = flow.newAuthorizationUrl();
return url.setRedirectUri(CALLBACK_URI).setState(stateToken).build();
}


JSON Service Provider
---------------------------------------------------------------------------------------------------------------------------------------------
{
  @class: org.apereo.cas.support.oauth.services.OAuthRegisteredService
  name: Myapp
  id: 111057507159608
  description: Myapp
  evaluationOrder: 1
  logoutType: NONE
  attributeReleasePolicy:
  {
    @class: org.apereo.cas.services.ReturnAllAttributeReleasePolicy
    principalAttributesRepository:
    {
      @class: org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository
      expiration: 2
      timeUnit: HOURS
    }
    authorizedToReleaseCredentialPassword: false
    authorizedToReleaseProxyGrantingTicket: false
  }
  multifactorPolicy:
  {
    @class: org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
    failureMode: CLOSED
  }
  accessStrategy:
  {
    @class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy
    enabled: true
    ssoEnabled: true
    requireAllAttributes: false
    caseInsensitive: false
  }
  clientSecret: VgWn3ysT24gZo66K
  clientId: fb3s86QV9QKl
  bypassApprovalPrompt: false
  generateRefreshToken: false
  jsonFormat: false
}

Todd Pratt

unread,
Dec 13, 2016, 1:20:50 PM12/13/16
to CAS Community

Misagh Moayyed

unread,
Dec 13, 2016, 3:12:59 PM12/13/16
to cas-...@apereo.org

Feel free to submit an issue. Jérôme might have a few ideas. It would also be helpful if you could pack your client into a shape that can be tested and run by someone else. If you do [and you should], reference its location in the issue.

 

--Misagh

 

From: cas-...@apereo.org [mailto:cas-...@apereo.org] On Behalf Of Todd Pratt


Sent: Tuesday, December 13, 2016 11:21 AM
To: CAS Community <cas-...@apereo.org>

--

- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

Jérôme LELEU

unread,
Dec 14, 2016, 3:04:12 AM12/14/16
to CAS Community
Hi,

Sure. This error happens when you have not properly configured the serviceId of the Oidc service, it must match the redirectUri.



{
  "@class" : "org.apereo.cas.services.OidcRegisteredService",
  "clientId": "client",
  "clientSecret": "secret",
  "serviceId" : "^<https://the-redirect-uri>",
  "signIdToken": true,
  "name": "OIDC",
  "id": 1000,
  "evaluationOrder": 100,
  "jwks": "..."
}


Thanks.
Best regards,
Jérôme


To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/026601d2557d%24488f0090%24d9ad01b0%24%40unicon.net.

Todd Pratt

unread,
Dec 14, 2016, 11:13:23 AM12/14/16
to CAS Community
Hi Jérôme,

I've tried several values for serviceId and can't find one that will work I get the same error each time.  I need it to redirect back to http://localhost:8080/oauth_client.  Could you please tell me what I'm doing wrong with the following 

{
  "@class" : "org.apereo.cas.services.OidcRegisteredService",
  "clientId": "fb3s86QV9QKl",
  "clientSecret": "VgWn3ysT24gZo66K",
  "signIdToken": "false",
  "name": "OIDC",
  "id": 1000,
  "evaluationOrder": 100
}



Thank you,
Todd

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

Jérôme LELEU

unread,
Dec 15, 2016, 3:27:05 AM12/15/16
to CAS Community

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/78773adf-f671-4347-8b1e-e36aa8ffe78d%40apereo.org.

Todd Pratt

unread,
Dec 15, 2016, 10:16:20 AM12/15/16
to CAS Community
Hi,

I appreciate all the help.  That check succeeds, see the log statements below.  It fails on isRequestAuthenticated in OAuth20AuthorizeController

There isn't a profile in the session or request attributes.  I printed both of those out and couldn't find one for Pac4jConstants.USER_PROFILES ("pac4jUserProfile")


2016-12-15 09:53:52,309 DEBUG [org.apereo.cas.support.oauth.validator.OAuthValidator] - <Check registered service: org.apereo.cas.services.OidcRegisteredService@126030a4[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@7f17e342[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseProxyGrantingTicket=false,allowedAttributes=[]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@27dc818c[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=<null>,proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@5761f513,logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@342a60c3[multifactorAuthenticationProviders=[],failureMode=CLOSED,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,clientId=fb3s86QV9QKl,approvalPrompt=false,generateRefreshToken=false,jsonFormat=true,jwks=<null>,signIdToken=false]>

2016-12-15 09:53:52,310 DEBUG [org.apereo.cas.support.oauth.validator.OAuthValidator] - <Found: org.apereo.cas.services.OidcRegisteredService@126030a4[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@7f17e342[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseProxyGrantingTicket=false,allowedAttributes=[]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@27dc818c[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=<null>,proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@5761f513,logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@342a60c3[multifactorAuthenticationProviders=[],failureMode=CLOSED,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,clientId=fb3s86QV9QKl,approvalPrompt=false,generateRefreshToken=false,jsonFormat=true,jwks=<null>,signIdToken=false] vs redirectUri: http://localhost:8080/oauth_client>

2016-12-15 09:53:52,313 ERROR [org.apereo.cas.support.oauth.web.OAuth20AuthorizeController] - <Authorize request verification fails>

Ryan Rolland

unread,
Mar 6, 2018, 6:36:33 PM3/6/18
to CAS Community
Did you figure this out? I am having a very similar failure trying to get the profile on a call to cas/oidc/accessToken/ from either request or session. I believe it is due to the request being generated from the web applications back end and not the browser, i.e. no cookie information.

ProfileManager<U>.retrieveAll(boolean) line: 58
ProfileManager<U>.get(boolean) line: 35
OidcAccessTokenEndpointController(OAuth20AccessTokenEndpointController).verifyAccessTokenRequest(HttpServletRequest, HttpServletResponse) line: 207
OidcAccessTokenEndpointController(OAuth20AccessTokenEndpointController).handleRequest(HttpServletRequest, HttpServletResponse) line: 103

Todd Pratt

unread,
Mar 7, 2018, 9:55:44 AM3/7/18
to cas-...@apereo.org
Yes, but I don't remember what the issue was being more than a year ago.
I am using oauth2.0 endpoints so I'm using /oauth2.0/profile to get the profile back.  If you are using OIDC it looks like you should be using cas/oidc/accessToken/ to get a token back first and then a call to /oidc/profile to get the profile using the token you got back in the first request.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/Mwa_8ePd7Kc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b4313f21-604b-4b1f-a81a-98fa42e5f7dd%40apereo.org.

Ryan Rolland

unread,
Mar 8, 2018, 1:37:46 PM3/8/18
to CAS Community
Thanks for response. Yea, that is exactly what I am doing, i.e. trying to call 'cas/oidc/accessToken' before 'cas/oidc/profile'. The implementation of 'cas/oidc/accessToken' does a profile lookup per the stack trace I gave.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b4313f21-604b-4b1f-a81a-98fa42e5f7dd%40apereo.org.

Reply all
Reply to author
Forward
0 new messages