OIDC /authorize - Authorization Denied

168 views
Skip to first unread message

Jérémie

unread,
Jun 27, 2023, 10:09:59 AM6/27/23
to CAS Community
Hi,

I'm pretty new to cas (6.6.8) and I'm trying to connect an test application to my CAS server using OIDC. I'm used to Okta, Auth0, etc so OIDC is not new to me, just CAS configuration.

My Cas is also connected to an AD to sign in. 

This is my Cas server configuration using OIDC module (org.apereo.cas:cas-server-support-oidc) : 

# Server
server.port=443

# SSL
server.ssl.enabled=true
server.ssl.key-store=file:{path}
server.ssl.key-store-password=xxx
server.ssl.key-password=xxx

# CAS
cas.server.name=https://URL:443
cas.server.prefix=${cas.server.name}/cas
cas.logout.followServiceRedirects=true
cas.authn.accept.enabled=false

# Active Directory
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://localhost:389
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].baseDn=DC=AAA,DC=BBB
cas.authn.ldap[0].search-filter=(sAMAccountName={user})
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].bindDn=USER
cas.authn.ldap[0].bindCredential=XXX

# OIDC settings
cas.authn.oidc.core.issuer=https://URL/cas/oidc
cas.authn.oidc.core.skew=5
cas.authn.oidc.jwks.file-system.jwks-file=file:C:\Program Files\Tomcat 9.0\etc\cas\config\keystore.jwks

# Encryption/Signing keys
cas.tgc.crypto.encryption.key=SN7Vpa8oHvXfh2hDZp8ANxZGRkF1DvKbYLTy_Vip2dI
cas.tgc.crypto.signing.key=KwbtZl2y5sidXFMShjVm4PiGwjVQ0Fq-ZBp0A_HUK6IOnoS2h0E5cSfp7vy8uioqX04yKIBXcU0kUm6DRuPCZQ
cas.webflow.crypto.signing.key=MltIqyj_vGFgZKFfw8vmoqYIYYu_KEU20AyZaAIDZl_Xjhl0ZGpPNe4h4N7-8p1_pNi-s97TQKb1-INp9VEwEA
cas.webflow.crypto.encryption.key=3Mh_pdDFLPCMgacDL6z8SQ

---

This is my /etc/config/services file : 
{
  "@class": "org.apereo.cas.services.OidcRegisteredService",
  "serviceId": "https://localhost:3000/callback", --> my app URL
  "name": "OIDC",
  "id": 1,
  "clientId": "41ff9715-bd3e-473c-9888-e2d5a1364c2a",
  "clientSecret": "SECRET",
  "bypassApprovalPrompt": true,
  "generateRefreshToken": true,
  "evaluationOrder": 10000
}

--- 

This is my test application config (Node.js app) : 
{
  "domain": "cas.lyvoc.com/cas/oidc",
  "clientId": "41ff9715-bd3e-473c-9888-e2d5a1364c2a",
}

This application was used for other IdP so it won't come from this. When hitting login on it, this is the /authorize URL I'm getting redirected to : 

The issue is that I'm getting redirected to a CAS page, but saying "Authorization Denied". I'm not getting redirected to the authentication page or anything like that : 
firefox_u32LfLkefz.png

I'm not finding anything on the net for this.

Thanks for any help !

Jérémie

unread,
Jul 3, 2023, 3:24:06 PM7/3/23
to CAS Community, Jérémie
Any help on this matter ? 

Can't see what's wront here

Ray Bon

unread,
Jul 4, 2023, 2:36:08 PM7/4/23
to cas-...@apereo.org
Jérémie,

What do the cas logs say about the authentication event (may need debug level)?

The authorize URL comes after the authentication step. Are you logged in, in that browser?

Ray

On Tue, 2023-06-27 at 06:30 -0700, Jérémie wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Jérémie

unread,
Jul 10, 2023, 3:05:04 AM7/10/23
to CAS Community, Ray Bon
Hi,

I'm simply getting : 
2023-07-10 06:31:50,609 INFO [org.apereo.cas.web.CasWebApplicationReady] - <Ready to process requests @ [2023-07-10T06:31:50.562Z]>
2023-07-10 06:32:21,021 INFO [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - <[0] expired tickets removed.>
2023-07-10 06:33:48,750 WARN [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Unauthorized Service Access. Service [41ff9715-bd3e-473c-9888-e2d5a1364c2a] is not registered in service registry.>

And no I'm not connected, I'm reaching directly this page and I'm always doing these tests in a private browser session.

Ray Bon

unread,
Jul 10, 2023, 1:51:00 PM7/10/23
to cas-...@apereo.org, crazybr...@gmail.com
Jérémie,

The redirect_uri in the URL sent to cas must match the serviceId in your service file. serviceId can be a regex. The client_id matches clientId (this is more obvious).
There may be other parameters that are sent to cas by your application that are not identified in the service file. These other  parameters may or may not be a factor (I am still learning OIDC).

In short, 'Unauthorized Service Access ...', means that there is a mismatch between the service requested in the browser and the service file.

Ray

Jérémie

unread,
Jul 11, 2023, 9:44:08 AM7/11/23
to CAS Community, Ray Bon, Jérémie
Indeed redirect_uri wasn't consistent between conf, but after updating it nothing has changed. 

This is my service file now : 
{
  "@class": "org.apereo.cas.services.OidcRegisteredService",
  "serviceId": "http://localhost:3000",

  "name": "OIDC",
  "id": 1,
  "clientId": "41ff9715-bd3e-473c-9888-e2d5a1364c2a",
  "clientSecret": "da31dc03-443c-4391-963b-86be2d9a4d45",

  "bypassApprovalPrompt": true,
  "generateRefreshToken": true,
  "evaluationOrder": 10000
}

And the URL called : https://{URL}/cas/oidc/authorize?client_id=41ff9715-bd3e-473c-9888-e2d5a1364c2a&scope=openid profile email read:all&response_type=code&response_mode=query&state=T0xJV2hyOXFQdVY5anNsX1VsUURrMEVIRlREQ3JGRF9vYzFvZVBXRUpFNw==&nonce=eUFOTnU4NFVBQ0lDQjRteGcxV3E5V1I0N05OT0dzT29ubEwxQ3I4SE1uWg==&redirect_uri=http://localhost:3000&code_challenge=TxDYuTGk_M6AUKwC79VwUCZGE8WejkIwYAtcTkisvRk&code_challenge_method=S256&auth0Client=eyJuYW1lIjoiYXV0aDAtc3BhLWpzIiwidmVyc2lvbiI6IjEuMTkuNCJ9

I'm not seeing something that could cause the data causing the mismatch.

And the error doesn't give much detail on the specific issue (maybe my loggers aren't good ?)

Jérémie

unread,
Jul 11, 2023, 11:59:23 AM7/11/23
to CAS Community, Jérémie, Ray Bon, Jérémie
I've found the issue, it was coming from the service file not loaded by cas. I've added the following line to my cas.properties : 
cas.service-registry.json.location=file:/C:/Program Files/Tomcat 9.0/etc/cas/config

But now I'm having a new error : 
2023-07-11 14:20:47,712 ERROR [org.springframework.boot.web.servlet.support.ErrorPageFilter] - <Forwarding to error page from request [/oidc/authorize] due to exception [Unable to locate authentication profile]>

And from what I've found on Google, some had this error but I didn't see any solution for it.

This my last try, after that I'll turn off everything and go for a better documented product unfortunatly

Ray Bon

unread,
Jul 11, 2023, 1:22:57 PM7/11/23
to cas-...@apereo.org, crazybr...@gmail.com
The issue could be with what the request is asking for (such as scope, etc.) and the service not being configured to release them. 

My test client (created with cas management application):

{"@class":"org.apereo.cas.services.OidcRegisteredService",
"name":"fresh oidc on dev",
"id":160605843,"expirationPolicy":null,
"singleSignOnParticipationPolicy":{"@class":"org.apereo.cas.services.ChainingRegisteredServiceSingleSignOnParticipationPolicy"},
"evaluationOrder":163,"environments":null,"multifactorPolicy":{"@class":"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders":null,"bypassEnabled":true},
"clientSecret":"6b5KjVIX6tiiyxnmqKrSnPz1tEADCjlKUfyo",
"clientId":"tZzif5NfwfBS9enpN0nqXceBSdcYgxw3fw3w",
"supportedResponseTypes":["java.util.HashSet",["code"]],
"signIdToken":false,"subjectType":"PUBLIC",
"scopes":["java.util.HashSet",["eduPersonScope","openid","email","profile"]]}

and the request:


Try this logger:

<AsyncLogger name="org.apereo.cas.oidc" level="debug" />

So far I have done a lot of guess work to get OIDC to work and I am not sure why things happen the way they do. It is a complex protocol.

What version of cas are you using (I have 6.5.8)?

Ray
Reply all
Reply to author
Forward
0 new messages