Unsuccessful in configuring CAS 5.1.3 as a OAuth server ("/callbackAuthorize" redirects to "/" instead of client app)

[Zhang Yu]

env:

Java 8, CAS 5.1.3, Tomcat 8.5 (standalone), IntelliJ, macOS Sierra.

pom.xml:

<properties>

    <cas.version>5.1.3</cas.version>

</properties>

<dependencies>

    <dependency>

        <groupId>org.apereo.cas</groupId>

        <artifactId>cas-server-webapp</artifactId>

        <version>${cas.version}</version>

        <type>war</type>

        <scope>runtime</scope>

    </dependency>

    <dependency>

        <groupId>org.apereo.cas</groupId>

        <artifactId>cas-server-support-jdbc</artifactId>

        <version>${cas.version}</version>

    </dependency>

    <dependency>

        <groupId>org.apereo.cas</groupId>

        <artifactId>cas-server-support-json-service-registry</artifactId>

        <version>${cas.version}</version>

    </dependency>

    <dependency>

        <groupId>org.apereo.cas</groupId>

        <artifactId>cas-server-webapp-config-security</artifactId>

        <version>${cas.version}</version>

    </dependency>

    <dependency>

        <groupId>org.apereo.cas</groupId>

        <artifactId>cas-server-support-oauth-webflow</artifactId>

        <version>${cas.version}</version>

    </dependency>

    <dependency>

        <groupId>com.oracle</groupId>

        <artifactId>ojdbc8</artifactId>

        <version>12.2.0.1</version>

    </dependency>

</dependencies>

CAS runs fine at http://127.0.0.1:8080.

Registered a JSON service with CAS to act as a demo OAuth client:

{

  "@class": "org.apereo.cas.support.oauth.services.OAuthRegisteredService",

  "serviceId": "http://(127.0.0.1|localhost):8081/login/oauth2/cas",

  "clientId": "clientid",

  "clientSecret": "clientSecret",

  "name": "OAuth20ClientDemo",

  "id": 1002,

  "description": "",

  "evaluationOrder": 0,

  "attributeReleasePolicy": {

    "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"

  }

}

When CAS starts, it automatically generate another JSON service (which seems a bit weird, however I cannot tell whether it is normal or not):

{

  @class: org.apereo.cas.services.RegexRegisteredService

  serviceId: http://localhost:8080/oauth2.0/callbackAuthorize.*

  name: RegexRegisteredService

  id: 103356745490349536

  description: OAuth Authentication Callback Request URL

  proxyPolicy:

  {

    @class: org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy

  }

  evaluationOrder: 0

  usernameAttributeProvider:

  {

    @class: org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider

    canonicalizationMode: NONE

    encryptUsername: false

  }

  attributeReleasePolicy:

  {

    @class: org.apereo.cas.services.DenyAllAttributeReleasePolicy

    principalAttributesRepository:

    {

      @class: org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository

      expiration: 2

      timeUnit: HOURS

    }

    authorizedToReleaseCredentialPassword: false

    authorizedToReleaseProxyGrantingTicket: false

    excludeDefaultAttributes: true

  }

  multifactorPolicy:

  {

    @class: org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy

    failureMode: CLOSED

    bypassEnabled: false

  }

  accessStrategy:

  {

    @class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy

    enabled: true

    ssoEnabled: true

    requireAllAttributes: true

    caseInsensitive: false

  }

}

The demo client runs as another standalone Tomcat app at http://127.0.0.1:8081.

Now comes the testing process.

The first steps of the process look good:

http://localhost:8081/login/oauth2/cas

302 ->

http://127.0.0.1:8080/oauth2.0/authorize?client_id=clientid&redirect_uri=http://localhost:8081/login/oauth2/cas&response_type=code&state=2YqY0c

302 ->

http://localhost:8080/login?service=http%3A%2F%2Flocalhost%3A8080%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAuthClient%26client_id%3Dclientid%26redirect_uri%3Dhttp%3A%2F%2Flocalhost%3A8081%2Flogin%2Foauth2%2Fcas

After inputing correct username/password in the form and press LOGIN, A POST is submitted to:

http://localhost:8080/login?service=http%3A%2F%2Flocalhost%3A8080%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAuthClient%26client_id%3Dclientid%26redirect_uri%3Dhttp%3A%2F%2Flocalhost%3A8081%2Flogin%2Foauth2%2Fcas

The response is a 302 to the following url:

http://localhost:8080/oauth2.0/callbackAuthorize?client_name=CasOAuthClient&client_id=clientid&redirect_uri=http://localhost:8081/login/oauth2/cas&ticket=ST-6-T71F2TDPjCsPF9d3Shby-localhost

Here comes the problem: The response of the above url (/callbackAuthorize) is a 302 redirection to '/' (root path of CAS), which then redirects to the login page (/login).

I think the expected behavior of /callbackAuthorize should be a redirection back to the client app at http://localhost:8081/login/oauth2/cas with the OAuth token issued.

Did I get anything wrong or miss any configurations?

Thanks.

[Fei Wang]

I met the exactly same problem . Have you resolve it ? 

[Sandor Juhasz]

Happening to us with 5.1.6, using openid connect webflow. Same symptoms, only thing making it 

interesting is that it does not happen every time.

See threads:

https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/TDh7Zz7g5TY

 

--

Sándor Juhász

System Administrator
ChemAxon Ltd.

Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031

Cell: +36704258964

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9a4b7b3e-5746-4cef-8ae4-e3e602f3be32%40apereo.org.

[Tommy]

When I use HTTPS , the issue gone.  What's the trick here?

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9a4b7b3e-5746-4cef-8ae4-e3e602f3be32%40apereo.org.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD65aPVF7HBWC%2BrF9gBUmZz2VMLsp7O1y_LqL_8%2BhPvthShFbQ%40mail.gmail.com.

[Sandor Juhasz]

We are on https. For a while it works and at some point - somehow related to existing/expired session it goes to location /.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD65aPVF7HBWC%2BrF9gBUmZz2VMLsp7O1y_LqL_8%2BhPvthShFbQ%40mail.gmail.com.

[Sandor Juhasz]

Question on code.

What can result CAS redirecting to /?

Can anybody point to the class which is responsible for this behavior.

[Sergey Yezhkov]

Hi, I have the same problem

Did anyone found the root of the problem?

[Andy Ng]

Hi Sergey,

I recalled 5.3.0-RCX have made some improvement (remake some of the redirection logic) to fix the above problem, maybe you tried the newest 5.3.0-RC4 and see if the problem still exists. 

Cheers!

- Andy

[Abylay]

We had the same problem.
And it was fixed by applying the changes from the following pull request: https://github.com/apereo/cas/pull/3292

[Daniel Maugeri]

I've just upgraded to 5.3.0-RC4 and I'm experiencing the same issue. The callbackAuthorize controller is redirecting me back to the login page after I've logged in. Did anyone find a fix for this?

[Daniel Maugeri]

Our issue was because we were missing the properties mentioned in this thread:

https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/I_aqJy2apPI

[Diego Henrique Pagani]

Hi guys,

I'm facing the same issue with 6.0.0 and 6.0.1. I'm not using https and using custom context-path (setting the server.servlet.context-path param)

Does anyone have found  the solution ?

[Andy Ng]

Cas server is design to only work with https, please change to use https even if you are testing only -Andy

[Anuja Paradkar]

Facing same issue with 5.3.1, but on random occasion. Wondering were you able to resolve this.

[Anuja Paradkar]

Log file shows it creates and validates same ticket twice, no doubt during second validation it wont find entry for that service. Funny thing it does not throw exception but just uses default redirect path which is "/" in CAS source code.

[[32m2019-04-02 19:58:09,776 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: x...@gmail.com

WHAT: ST-83-gVx1tobXZNRrHco67XXqw73OFnshrb-service-cas-86f7c5ff89-5vt28 for https://service-cas/cas/oauth2.0/callbackAuthorize?client_id=APPID1&redirect_uri=https%3A%2F%2Fservi...

ACTION: SERVICE_TICKET_CREATED

APPLICATION: CAS

WHEN: Tue Apr 02 19:58:09 GMT 2019

CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1

SERVER IP ADDRESS: 0:0:0:0:0:0:0:1

=============================================================

>^[[m

^[[32m2019-04-02 19:58:09,776 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: x...@gmail.com

WHAT: ST-83-gVx1tobXZNRrHco67XXqw73OFnshrb-service-cas-86f7c5ff89-5vt28 for https://service-cas/cas/oauth2.0/callbackAuthorize?client_id=APPID1&redirect_uri=https%3A%2F%2Fservi...

ACTION: SERVICE_TICKET_CREATED

APPLICATION: CAS

WHEN: Tue Apr 02 19:58:09 GMT 2019

CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1

SERVER IP ADDRESS: 0:0:0:0:0:0:0:1

=============================================================

>^[[m

^[[32m2019-04-02 19:58:10,086 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: audit:unknown

WHAT: [result=Service Access Granted,service=https://my-client-app...,principal=SimplePrincipal(id=x...@gmail.com, attributes={userAccountId=4670, last_name=Mitchell, source=VA, userRole=

ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED

APPLICATION: CAS

WHEN: Tue Apr 02 19:58:10 GMT 2019

CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1

SERVER IP ADDRESS: 0:0:0:0:0:0:0:1

=============================================================

>^[[m

^[[32m2019-04-02 19:58:10,086 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: audit:unknown

WHAT: [result=Service Access Granted,service=https://my-client-app...,principal=SimplePrincipal(id=x...@gmail.com, attributes={userAccountId=4670, last_name=Mitchell, source=VA, userRole=

ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED

APPLICATION: CAS

WHEN: Tue Apr 02 19:58:10 GMT 2019

CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1

SERVER IP ADDRESS: 0:0:0:0:0:0:0:1

=============================================================

>^[[m

^[[32m2019-04-02 19:58:10,090 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: x...@gmail.com

WHAT: ST-83-gVx1tobXZNRrHco67XXqw73OFnshrb-service-cas-86f7c5ff89-5vt28

ACTION: SERVICE_TICKET_VALIDATED

APPLICATION: CAS

WHEN: Tue Apr 02 19:58:10 GMT 2019

CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1

SERVER IP ADDRESS: 0:0:0:0:0:0:0:1

=============================================================

>^[[m

^[[32m2019-04-02 19:58:10,090 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: x...@gmail.com

WHAT: ST-83-gVx1tobXZNRrHco67XXqw73OFnshrb-service-cas-86f7c5ff89-5vt28

ACTION: SERVICE_TICKET_VALIDATED

APPLICATION: CAS

WHEN: Tue Apr 02 19:58:10 GMT 2019

CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1

SERVER IP ADDRESS: 0:0:0:0:0:0:0:1

=============================================================

[Ray Bon]

Anuja,

What you are seeing are duplicate log entries (time stamps match).

Check 'additivity' in log4j2.xml to make sure only one message is logged.

Ray

[Anuja Paradkar]

Thanks for the mail. Sure will check that. 

I will appreciate if you can help me finding what might be happening in step number 4 below. This is forceful scenario to reproduce the problem (please note in prod this is random and scenario might be different): 

1) Let your application take you to login page.

URL looks something like: https://my-cas-service/cas/login?service=...

2) Copy entire url with query parameters.

3) Login to  your application.

4) Open the new tab, and try to place copied url in browser. And this time you are redirected to "/" domain.

This is forced scenario but I am trying to understand what might be happening in 4th step.  It does log the message that "ticket is validated" but do not get redirected correct. No exception, no error. 

There is default url mapped in code is "/",

From DefaultCallbackLogic.java

if (inputDefaultUrl == null) {
    defaultUrl = "/";
}

I will try to debug more but since it is critical, escalating to CAS for speedy help.