CAS OIDC 403 forbidden

[Charl Thiem]

Hi

I need some help with OpenID Connect setup.

I have my cas 6.1  instance configured with OIDC. I can authenticate my user with

https://demo.domain.co.za/cas/oidc/authorize?response_type=code&scope=openid&client_id=client&redirect_uri=https%3A%2F%2Fthe-redirect

Which then returns the "code"
https://the-redirect-uri/?code=OC-3-Er9FLXhPgI7MLBoqfo0-SC1DRMgezkh6

Then when trying to to get an authorization_code from it i get a 403

curl --location --request POST 'https://demo.domain.co.za/cas/oidc/token' \
--header 'Authorization: Basic Y2xpZW50OnNlY3JldA==' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'code=OC-1-9RHILYUUElF6YCOeWqSnK0BxuK8l1-bf' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'redirect_uri=https://the-redirect-uri'

{"timestamp":"2020-05-19T09:33:21.868+0000","status":403,"error":"Forbidden","message":"No message available","path":"/cas/oidc/token"}

(The Authorization header does seem to work. I have the clientId and client Secret in there. And if I change it I get a 401)

I do not have any additional settings for OIDC in cas config, and I have json service definition with the following

{
  "@class" : "org.apereo.cas.services.OidcRegisteredService",
  "clientId": "client",
  "clientSecret": "secret",
  "serviceId" : "https://the-redirect-uri",
  "name": "OIDC Test",
  "id": 60,
  "supportedResponseTypes":  [ "java.util.HashSet", [ "code" ] ],
  "supportedGrantTypes":  [ "java.util.HashSet", [ "authorization_code" ] ],
}

Any ideas what the issue with the 403 could be?

I'm running in debug mode and also couldn't find any useful logging.. This is the output during the request for the authorization_code.

2020-05-19 11:38:52,750 DEBUG [org.apereo.cas.support.oauth.web.endpoints.OAuth20AuthorizeEndpointController] - <Building authorization response for grant type [AUTHORIZATION_CODE] with scopes [[openid]] for client id [client]>
2020-05-19 11:38:52,751 DEBUG [org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationCodeAuthorizationResponseBuilder] - <Generated OAuth code: [OC-1-ZUSkKuijTf-JvqqPijjsEaMrVxRSRPGb]>
2020-05-19 11:38:52,758 DEBUG [org.apereo.cas.ticket.registry.JpaTicketRegistry] - <Added ticket [OC-1-ZUSkKuijTf-JvqqPijjsEaMrVxRSRPGb] to registry.>
2020-05-19 11:38:52,783 DEBUG [org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationCodeAuthorizationResponseBuilder] - <Authorize request successful for client [client] with redirect uri [https://the-redirect-uri]>
2020-05-19 11:38:52,783 DEBUG [org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationCodeAuthorizationResponseBuilder] - <Redirecting to URL [https://the-redirect-uri?code=OC-1-ZUSkKuijTf-JvqqPijjsEaMrVxRSRPGb&state=af0ifjsldkj]>
2020-05-19 11:38:52,786 DEBUG [org.apereo.cas.support.oauth.util.OAuth20Utils] - <OAuth response type is [NONE]>
2020-05-19 11:39:06,232 DEBUG [org.apereo.cas.support.oauth.authenticator.OAuth20ClientIdClientSecretAuthenticator] - <Authenticating credential [#UsernamePasswordCredentials# | username: client | password: [PROTECTED] |]>
2020-05-19 11:39:06,232 DEBUG [org.apereo.cas.support.oauth.authenticator.OAuth20ClientIdClientSecretAuthenticator] - <Checking if the OAuth code issued contains code challenge>
2020-05-19 11:39:06,245 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [result=Service Access Granted,service=https://the-redirect-uri,requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Tue May 19 11:39:06 SAST 2020
CLIENT IP ADDRESS: 172.18.0.1
SERVER IP ADDRESS: 192.168.1.111
=============================================================

>
2020-05-19 11:39:06,245 DEBUG [org.apereo.cas.support.oauth.util.OAuth20Utils] - <Found: [OidcRegisteredService(super=OAuthRegisteredService(super=AbstractRegisteredService(serviceId=https://the-redirect-uri, name=OIDC Test, theme=null, informationUrl=null, privacyUrl=null, responseType=null, id=60, description=null, expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, notifyWhenDeleted=false, notifyWhenExpired=false, expirationDate=null), proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, proxyTicketExpirationPolicy=null, serviceTicketExpirationPolicy=null, singleSignOnParticipationPolicy=null, evaluationOrder=0, usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@87297e2, logoutType=BACK_CHANNEL, requiredHandlers=[], environments=[], attributeReleasePolicy=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, principalAttributesRepository=DefaultPrincipalAttributesRepository(), consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true, excludedAttributes=null, includeOnlyAttributes=null, order=0), authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=false, authorizedToReleaseAuthenticationAttributes=true, principalIdAttribute=null, order=0), allowedAttributes=[]), multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[], failureMode=UNDEFINED, principalAttributeNameTrigger=null, principalAttributeValueToMatch=null, bypassEnabled=false, forceExecution=false, bypassTrustedDeviceEnabled=false), logo=null, logoutUrl=null, accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[], permitUndefined=true, exclusive=false), requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), publicKey=null, properties={}, contacts=[]), clientSecret=secret, clientId=client, bypassApprovalPrompt=false, generateRefreshToken=false, renewRefreshToken=false, jwtAccessToken=false, codeExpirationPolicy=null, accessTokenExpirationPolicy=null, refreshTokenExpirationPolicy=null, deviceTokenExpirationPolicy=null, supportedGrantTypes=[authorization_code], supportedResponseTypes=[code]), jwks=null, jwksCacheDuration=0, jwksCacheTimeUnit=null, tokenEndpointAuthenticationMethod=client_secret_basic, signIdToken=true, encryptIdToken=false, idTokenEncryptionAlg=null, idTokenSigningAlg=null, userInfoSigningAlg=null, userInfoEncryptedResponseAlg=null, userInfoEncryptedResponseEncoding=null, idTokenEncryptionEncoding=null, sectorIdentifierUri=null, applicationType=web, subjectType=public, dynamicallyRegistered=false, implicit=false, dynamicRegistrationDateTime=null, scopes=[])] in secret check>
2020-05-19 11:39:06,246 DEBUG [org.apereo.cas.support.oauth.authenticator.OAuth20ClientIdClientSecretAuthenticator] - <Authenticated user profile [#CommonProfile# | id: client | attributes: {} | roles: [] | permissions: [] | isRemembered: false | clientName: null | linkedId: null |]>

Regards / Groete

Charl Thiem

Senior Developer | +07 (0) 21 970 4000 | in...@opencollab.co.za | www.opencollab.co.za | @opencollab

---

See OpenCollab email disclaimer at http://www.opencollab.co.za/email-disclaimer

[Gandhi]

Hi, Can you try passing client_id and client_secret as params rather than Basic Auth?

[Charl Thiem]

Hi there

I tried that too with no luck. I think there is a bug in spring's pac4j or pac4j itself. I had some places in my debugger stack trace where I could see it never passes a check that is expected to pass... Just my guess I'm no pac4j expert :D

I downgraded to 6.0.7 instead of 6.1.6 and it now works as expected with the same configuration - for what that info is worth...

Regards / Groete

Charl Thiem

Senior Developer | +07 (0) 21 970 4000 | in...@opencollab.co.za | www.opencollab.co.za | @opencollab

This mail contains confidential information intended only for the individual(s) named. If you’re not the named addressee, don’t disseminate, distribute or copy this e-mail. Please notify the sender immediately and delete it from your system.If you wish not to receive such e-mails you may reply with text “Unsubscribe”.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4d52ca92-25e2-458d-b4d8-949251c073e4%40apereo.org.

[Jérôme Steve]

Hi charl,

You try to add the scopes in your service configuration ? like this :

"scopes" : [ "java.util.HashSet", [ "openid"] ]

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAK5fTW4zjCO3z%2Bscy%2BAf9CsikgZk63T%3DVyHFnhNzyDuzgVcyOw%40mail.gmail.com.

[Charl Thiem]

Hi Jérôme

I've tried that too. Still no luck with CAS 6.1, 6.0 works fine

Regards / Groete

Charl Thiem

Senior Developer | +07 (0) 21 970 4000 | in...@opencollab.co.za | www.opencollab.co.za | @opencollab

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD6KnbwjZeXcBDjrTjcXBguTrheHGM%3D9mbEP9e%3DmFtZrvkh4BQ%40mail.gmail.com.

[Linos Giannopoulos]

Hey,

I have a similar setup to that of Charl's and I encountered the same issue  with 6.1.6. Indeed, downgrading to 6.0 works as expected.

I have not tried 6.2.x yet.

If you need any extra information, or you have any pointers in terms of where to look, let me know.

~lgian

On Wednesday, May 20, 2020 at 5:15:38 PM UTC+3, Charl Thiem wrote:

Hi Jérôme

I've tried that too. Still no luck with CAS 6.1, 6.0 works fine

Regards / Groete

Charl Thiem

Senior Developer | +07 (0) 21 970 4000 | in...@opencollab.co.za | www.opencollab.co.za | @opencollab

To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4d52ca92-25e2-458d-b4d8-949251c073e4%40apereo.org.

---

See OpenCollab email disclaimer at http://www.opencollab.co.za/email-disclaimer

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAK5fTW4zjCO3z%2Bscy%2BAf9CsikgZk63T%3DVyHFnhNzyDuzgVcyOw%40mail.gmail.com.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD6KnbwjZeXcBDjrTjcXBguTrheHGM%3D9mbEP9e%3DmFtZrvkh4BQ%40mail.gmail.com.