OIDC password grant_type fails to return ID Token
nilesh choudhary
https://github.com/apereo/cas/commit/39c112c80c0021c012978dbdad095a1539605964
https://github.com/apereo/cas/pull/3193
This commit apparently broke the OIDC accesstoken API for stateless REST based authentication.
{
"access_token": "AT-1-lRVr5VLQOKabdhaWiLyLyhO0afHP3kBY",
"token_type": "bearer",
"expires_in": 28800,
"refresh_token": "RT-1-llRC4qJb0UWpmXOIiYnuTemhFdNO2wfP"
}
The response is missing ID_TOKEN. Server has below error
2019-04-08 12:44:36,024 ERROR [org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/qas].[dispatcherServlet]] - <Servlet.service() for servlet [dispatcherServlet] in context with path [/qas]
threw exception [Request processing failed; nested exception is java.lang.IllegalStateException: Cannot find service ticket issued to https://cas.example.org:8443/cas/oauth2.0/callbackAuthorize.* as p
art of the authentication context] with root cause>
java.lang.IllegalStateException: Cannot find service ticket issued to https://cas.example.org:8443/cas/oauth2.0/callbackAuthorize.* as part of the authentication context
at com.google.common.base.Preconditions.checkState(Preconditions.java:504) ~[guava-25.0-jre.jar!/:?]
at org.apereo.cas.oidc.token.OidcIdTokenGeneratorService.getOAuthServiceTicket(OidcIdTokenGeneratorService.java:178) ~[cas-server-support-oidc-5.3.9.jar!/:5.3.9]
Apparently it is being assumed that there would always be a service ticket or proxy ticket. Though I agree it is a reasonable ask to support single logout, I believe we should not fail this if only accesstoken i.e. TGT is generated for given call with no service ticket / proxy ticket called against it.
Any clue or work around for this issue?