Problem with OIDC and difference beetween 5.3.16 and 7.1.3

Ruggiero Dibenedetto

unread,

Apr 14, 2025, 8:43:58 PM4/14/25

to CAS Community

Hi all,
I'm having some problem with the configuration of OIDC with cas 7.1.3.
The old version I have, 5.3.16 works fine.

With the new version instead, I start from the similar request, but at the end I don't have the same redirect, and I lost al the parameters in the link that I use on my java application.
I have this workflow:

..../oidc/oidcAuthorize?scope=scopevalue&response_type=code&redirectUri=redirectUri&state=stateValue&nonce=noncevalue&clientid=clientValue
Then seems work fine with the login, mfa etc.
/oauth2.0/callbackAuthorize?clientId....scope....redirecturi....responseType....state....nonce...clientname...ticket
And the location of this last link, is just the redirect uri.

Instead in the version 5.1.16 the last redirect workflow is:

oidc/authorize
all the stuff for the login
oauth2.0/callbackAuthorize with all the parameters
/oidc/authorize with a location that contains the parameters state nonce code

And after the redirect of the authorize I can read also the authorization code and so validate the session.

But with the new version this last step is not present.

Do you have any suggestion or example on how it should work?

Thank you

Ray Bon

unread,

Apr 15, 2025, 11:08:24 PM4/15/25

to cas-...@apereo.org

It is possible that some of the config parameters have changed names.

Run:

./gradlew tasks

to see what is available. Then

./gradlew exportConfigMetadata

which will create a file, config-metadata.properties

That file lists all cas properties and documents deprecated properties and their replacements. Not sure if it lists properties as old as 5.3.x

Ray

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Ruggiero Dibenedetto <dibenedett...@gmail.com>
Sent: April 14, 2025 10:25
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] Problem with OIDC and difference beetween 5.3.16 and 7.1.3

You don't often get email from dibenedett...@gmail.com. Learn why this is important

--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c5ba13c5-5c3f-4a2d-8a46-7ef3d36955abn%40apereo.org.

Aniket Gangadharan

unread,

May 4, 2025, 12:43:40 PM5/4/25

to CAS Community, Ruggiero Dibenedetto

Hi,

Did anyone find a solution to this? I am also facing the same issue.

The internal redirection on cas with the login takes place and then when redirecting back to the client the parameters for code and state is not redirect in the HTTP 302.

Tested with CAS 7.2.1 version

Thanks,

Aniket

Ruggiero Dibenedetto

unread,

May 5, 2025, 5:37:26 AM5/5/25

to CAS Community, Aniket Gangadharan, Ruggiero Dibenedetto

Hi don't know if it works for you. But my problem is fixed deleting the following properties from cas.properties:

cas.ticket.registry.jpa.crypto.signing-enabled

cas.ticket.registry.jpa.crypto.signing.key

cas.ticket.registry.jpa.crypto.signing.key-size

Aniket Gangadharan

unread,

May 6, 2025, 5:42:34 AM5/6/25

to CAS Community, Ruggiero Dibenedetto, Aniket Gangadharan

Removing the cas.ticket.registry.jpa.crypto.* properties has resolved my OIDC logic issue also. Thank you for the help.

gautham jampala

unread,

May 28, 2025, 10:38:48 AM5/28/25

to CAS Community, Aniket Gangadharan, Ruggiero Dibenedetto

I am having the same issue with 7.1.4 and removing the cas.ticket.registry.jpa.crypto.* properties resolved the OIDC login issue. But it does not solve the root cause of why is OIDC login not working when JPA ticket registry is encrypted. Are there any fixes to come for this in future releases?