[OIDC] AccessToken endpoint

349 views
Skip to first unread message

kaphael

unread,
Jan 30, 2017, 11:06:52 AM1/30/17
to CAS Community
Hi,

I'm trying to use cas version 5.0.0 as an openid connect server (on localhost and http for the moment).
Code generation is ok but, I get the following error when I try to validate the obtained code thanks /cas/oidc/access_token endpoint :
{"timestamp":1485791198745,"status":401,"error":"Unauthorized","message":"No message available","path":"/cas/oidc/accessToken"}

The logs don't say anything about the error :
2017-01-30 16:46:38,726 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - <=== SECURITY ===>
2017-01-30 16:46:38,726 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - <url: http://cas.idp.test.fr:8080/cas/oidc/accessToken>
2017-01-30 16:46:38,726 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - <matchers: null>
2017-01-30 16:46:38,726 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - <clients: clientBasicAuth,clientForm,userForm>
2017-01-30 16:46:38,726 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - <currentClients: [#DirectBasicAuthClient# | name: clientBasicAuth | credentialsExtractor: null | authenticator: org.apereo.cas.support.oauth.authenticator.OAuthClientAuthenticator@2d309cd1 | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@1be1a488 |, #DirectFormClient# | name: clientForm | usernameParameter: client_id | passwordParameter: client_secret | extractor: null | authenticator: org.apereo.cas.support.oauth.authenticator.OAuthClientAuthenticator@2d309cd1 | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@1be1a488 |, #DirectFormClient# | name: userForm | usernameParameter: username | passwordParameter: password | extractor: null | authenticator: org.apereo.cas.support.oauth.authenticator.OAuthUserAuthenticator@780f6639 | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@1be1a488 |]>
2017-01-30 16:46:38,728 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - <loadProfilesFromSession: false>
2017-01-30 16:46:38,728 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - <profiles: []>
2017-01-30 16:46:38,728 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - <Performing authentication for direct client: #DirectBasicAuthClient# | name: clientBasicAuth | credentialsExtractor: null | authenticator: org.apereo.cas.support.oauth.authenticator.OAuthClientAuthenticator@2d309cd1 | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@1be1a488 |>
2017-01-30 16:46:38,732 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - <credentials: null>
2017-01-30 16:46:38,732 DEBUG [org.pac4j.http.client.direct.DirectBasicAuthClient] - <credentials : null>
2017-01-30 16:46:38,732 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - <profile: null>
2017-01-30 16:46:38,732 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - <Performing authentication for direct client: #DirectFormClient# | name: clientForm | usernameParameter: client_id | passwordParameter: client_secret | extractor: null | authenticator: org.apereo.cas.support.oauth.authenticator.OAuthClientAuthenticator@2d309cd1 | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@1be1a488 |>
2017-01-30 16:46:38,734 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - <credentials: null>
2017-01-30 16:46:38,734 DEBUG [org.pac4j.http.client.direct.DirectFormClient] - <credentials : null>
2017-01-30 16:46:38,734 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - <profile: null>
2017-01-30 16:46:38,734 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - <Performing authentication for direct client: #DirectFormClient# | name: userForm | usernameParameter: username | passwordParameter: password | extractor: org.pac4j.core.credentials.extractor.FormExtractor@62f3a13a | authenticator: org.apereo.cas.support.oauth.authenticator.OAuthUserAuthenticator@780f6639 | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@1be1a488 |>
2017-01-30 16:46:38,734 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - <credentials: null>
2017-01-30 16:46:38,734 DEBUG [org.pac4j.http.client.direct.DirectFormClient] - <credentials : null>
2017-01-30 16:46:38,734 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - <profile: null>
2017-01-30 16:46:38,734 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - <unauthorized>

Does anybody already encouter this behaviour?
I attach my pom.xml and cas.properties, maybe I miss something.



Thanks!
Regards,
pom.xml
cas.properties

kaphaelm

unread,
Feb 3, 2017, 5:14:33 AM2/3/17
to CAS Community
Hi,

My bad, I didn't provide Authorization header...
OIDC works fine now with Shiro authentication.

But when I use trusted authentication with OIDC protocol I get an error for the /authorize endpoint.
The error occurs after the authentication (I have an "AUTHENTICATION_SUCCESS" in the logs)

Here is the stackTrace (full logs are attached)
2017-01-11 18:10:50,279 DEBUG [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] - <Evaluating authentication policy via OidcAuthenticationContextWebflowEventResolver for registered service http://cas.idp.test.fr:8080/cas/oauth2.0/callbackAuthorize.* and service http://cas.idp.test.fr:8080/cas/oauth2.0/callbackAuthorize?client_name=CasOAuthClient&client_id=client&redirect_uri=https://the-redirect-uri>
2017-01-11 18:10:50,279 DEBUG [org.apereo.cas.web.support.WebUtils] - <No warning cookie generator is defined>
2017-01-11 18:10:50,280 WARN [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] - <null>
java.lang.NullPointerException
at java.net.URI$Parser.parse(URI.java:3042) ~[?:1.8.0_11]
at java.net.URI.<init>(URI.java:588) ~[?:1.8.0_11]
at org.jasig.cas.client.util.URIBuilder.<init>(URIBuilder.java:83) ~[cas-client-core-3.4.1.jar:3.4.1]
at org.apereo.cas.web.flow.OidcAuthenticationContextWebflowEventResolver.resolveInternal(OidcAuthenticationContextWebflowEventResolver.java:41) ~[cas-server-support-oidc-5.0.0.jar:5.0.0]
at org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver.resolve(AbstractCasWebflowEventResolver.java:425) ~[cas-server-core-webflow-5.0.0.jar:5.0.0]

If I skip the tests done in OidcAuthenticationContextWebflowEventResolver.java (in debug mode) the authentication process works well.
With Shiro authentication the context.getFlowExecutionUrl() in OidcAuthenticationContextWebflowEventResolver.java return existing an url (/cas/login?service=...)

Is there a configuration to set in order to use OpenId Connect protocol and trusted authentication?

Thanks!
Regards.
oidcTrusted.txt

Misagh Moayyed

unread,
Feb 3, 2017, 5:17:22 AM2/3/17
to cas-...@apereo.org

https://github.com/apereo/cas/issues/2347

Friday, 03 February 2017, 11:14AM +01:00 from kaphaelm kaph...@gmail.com:

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/136a3b65-bb57-4496-aebc-5c2fae81b42a%40apereo.org.
Reply all
Reply to author
Forward
0 new messages