Problem integrating CAS 5.2.0 with ORCID and FACEBOOK.

151 views
Skip to first unread message

Neha Gupta

unread,
Jan 12, 2018, 4:57:30 AM1/12/18
to cas-...@apereo.org

Dear CAS people,

Good morning!

I am trying to delegate CAS authentication to Orcid and Facebook and as such created war file after updating "pom.xml" and "cas.properties" as follows: -

pom.xml

<dependency>
            <groupId>org.apereo.cas</groupId>
            <artifactId>cas-server-support-pac4j-webflow</artifactId>
            <version>5.2.0</version>
        </dependency>
<dependency>

cas.properties

 cas.authn.pac4j.orcid.id=APP-SJC454EGGODD1JDH
 cas.authn.pac4j.orcid.secret=7657a3f8-0663-488b-8b82-e1b3c2ecb8d9
 cas.authn.pac4j.orcid.clientName=orcid

and similarly given for Facebook as well but when i am trying to do so i am getting error with both Orcid and Facebook

Problem with ORCID: -

"There has been a problem with the server". If problem persists please contact ORCID support.  URL which CAS is hitting is "https://orcid.org/signin?oauth&null#show_login&quot; which seems little weird to me. I already contacted Orcid support group but according to them there is no problem at their end and asked me to look into the URL.

Problem with Facebook: -

"Sorry something went wrong". URL which CAS is hitting is "https://www.facebook.com/v2.8/dialog/oauth?response_type=code&client_id=476366362744200&redirect_uri=https%3A%2F%2Fdesktop-d8r3ca4%3A8443%2Fcas%2Flogin%3Fclient_name%3DFacebook&scope=email%2Cuser_likes%2Cuser_about_me%2Cuser_birthday%2Cuser_education_history%2Cuser_hometown%2Cuser_relationship_details%2Cuser_location%2Cuser_religion_politics%2Cuser_relationships%2Cuser_work_history%2Cuser_website%2Cuser_photos%2Cuser_events%2Cuser_actions.music%2Cbadscope&state=2fb5c80427"


I request you to please look into the matter and  let me know in case some configuration is missing.

Wish you a nice weekend.


Thanks and Regards

Neha Gupta

Jérôme LELEU

unread,
Jan 12, 2018, 9:03:22 AM1/12/18
to CAS Community
Hi,

Please don't output your id and secret in your emails!

- Orcid:

I think there is an URL called before the one given in the error message, it should be something like http://www.orcid.org/oauth/authorize/xxx (https://github.com/pac4j/pac4j/blob/master/pac4j-oauth/src/main/java/org/pac4j/scribe/builder/api/OrcidApi20.java#L20)

Can you post it here?

- Facebook:

Are you sure you defined the callback URL: https://desktop-d8r3ca4:8443/cas/login?client_name=Facebook in your Facebook app console?

Thanks.
Best regards,
Jérôme


On Fri, Jan 12, 2018 at 10:57 AM, Neha Gupta <neha.1...@gmail.com> wrote:

Dear CAS people,

Good morning!

I am trying to delegate CAS authentication to Orcid and Facebook and as such created war file after updating "pom.xml" and "cas.properties" as follows: -

pom.xml

<dependency>
            <groupId>org.apereo.cas</groupId>
            <artifactId>cas-server-support-pac4j-webflow</artifactId>
            <version>5.2.0</version>
        </dependency>
<dependency>

cas.properties

 cas.authn.pac4j.orcid.id=xxx
 cas.authn.pac4j.orcid.secret=yyy
 cas.authn.pac4j.orcid.clientName=orcid

and similarly given for Facebook as well but when i am trying to do so i am getting error with both Orcid and Facebook

Problem with ORCID: -

"There has been a problem with the server". If problem persists please contact ORCID support.  URL which CAS is hitting is "https://orcid.org/signin?oauth&null#show_login&quot; which seems little weird to me. I already contacted Orcid support group but according to them there is no problem at their end and asked me to look into the URL.

Problem with Facebook: -

"Sorry something went wrong". URL which CAS is hitting is "https://www.facebook.com/v2.8/dialog/oauth?response_type=code&client_id=476366362744200&redirect_uri=https%3A%2F%2Fdesktop-d8r3ca4%3A8443%2Fcas%2Flogin%3Fclient_name%3DFacebook&scope=email%2Cuser_likes%2Cuser_about_me%2Cuser_birthday%2Cuser_education_history%2Cuser_hometown%2Cuser_relationship_details%2Cuser_location%2Cuser_religion_politics%2Cuser_relationships%2Cuser_work_history%2Cuser_website%2Cuser_photos%2Cuser_events%2Cuser_actions.music%2Cbadscope&state=2fb5c80427"


I request you to please look into the matter and  let me know in case some configuration is missing.

Wish you a nice weekend.


Thanks and Regards

Neha Gupta

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAF2xoWpeD5M7iiRLyy7Bqhgx_dzvyo45L%3DVsUTxMiFDXg4W6Ag%40mail.gmail.com.

Neha Gupta

unread,
Jan 15, 2018, 8:43:04 AM1/15/18
to CAS Community
Hello Jérôme,

Below is the update

ORCID: -


After seeing the Network calls it seems that 301 and 302 status code are being thrown in response of the above URL.

FACEBOOK:- 
In facebook app console i don't see any place for callback URL.Fields as shown in attached snapshot are only available.


Thanks a lot for your support.


Regards
Neha Gupta


To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
FacebookFields.png

Jérôme LELEU

unread,
Jan 16, 2018, 4:55:11 AM1/16/18
to CAS Community
Hi,

1) Orcid

The URL looks good: I would try another value for the scope. Have you taken a look at the documentation?

2) Facebook

I opened the Facebook console, and I see a "Facebook login" item in the left menu with a "Parameters" submenu, in which you have several flags to enable, especially "web OAuth connection": is this checked? There is also a "redirection URL" input field you may need to fill, depending on the version of your FB app. 

Thanks.
Best regards,
Jérôme


To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9814538f-2def-441b-ae6b-16ab2b274ab8%40apereo.org.

Neha Gupta

unread,
Jan 22, 2018, 9:19:48 AM1/22/18
to CAS Community
Hello Jérôme,

I posted the reply last week but seems it lost somewhere. So posting it again: -

ORCID: -
Problem seems to be with scope. Please see the URL where new scopes are described and also had a talk with ORCID support and according to them the scope /orcid-profile belongs to an older version of API. Current 2.1 API only supports scopes mentioned in the link.


FACEBOOK: -
After defining correctly the "App Domain" and "Site URL" delegation to facebook started working.


Thanks a lot for your support.

Regards
Neha Gupta

Jérôme LELEU

unread,
Jan 23, 2018, 5:28:13 AM1/23/18
to CAS Community
Hi,

In pac4j, you can set the scope of the Orcid client. It doesn't seem possible within the CAS server: https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#orcid

That said, this is easy to change: don't hesitate to submit a PR for that in the CAS project.


Thanks.
Best regards,
Jérôme


To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a912e4f4-a38b-47a0-886b-107ca0af326c%40apereo.org.

Neha Gupta

unread,
Jan 30, 2018, 7:36:42 AM1/30/18
to cas-...@apereo.org
Hello  Jérôme,

Thanks a lot for update. I tried making changes in the file you suggested but always not able to access CAS login page after that as CAS is throwing some error. Traces(CASTraces.txt) attached.
Request you to please help me on this.

Also when i tried to package the complete pac4j package i am getting error in JWT. Traces attached(Pac4jTraces.txt) for the same.


Also i had a talk with ORCID support team and here is the extract from mail regarding the version: -

By March 1st, all calls made to the Public API (using the pub.orcid.org domain) must use version 2.0 or 2.1; calls made using version 1.2 will return an error.

If you are still using version 1.2 you need to be planning your upgrade to version 2.0. On this page you can find the necessary changes to implement: https://members.orcid.org/api/news/xsd-20-update


I don't know which version of ORCID API CAS is using so just thought of sharing this information with you.


Thanks and Regards
Neha Gupta

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LySHYQreqWy_mzriMO48-%2BxVov-LnqBaQDF7j3Ngu1HHw%40mail.gmail.com.

CASTrace.txt
Pac4jTrace.txt

Jérôme LELEU

unread,
Jan 31, 2018, 5:13:50 AM1/31/18
to CAS Community
Hi,

OK. So let's take problems in order:

- regarding the AbstractMethodError error, it certainly comes from the fact that you don't have the same version of pac4j-core and the other pac4j-* modules (check that with a "mvn dependency:tree" or "gradlew dependencies"). It should be 2.2.1 for all modules to use the latest version.

- regarding the Illegal key size error, either it comes from the key size you use or from the fact you haven't installed the unlimited strength policy for your JDK.

We don't use the v2 API as I don't see any v2.0 text in the URL we use. I remember taking a look at this integration, but it wasn't really easy to test it. It might be easier with the version 2.

Your contribution will be welcome.

Thanks.
Best regards,
Jérôme


To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LySHYQreqWy_mzriMO48-%2BxVov-LnqBaQDF7j3Ngu1HHw%40mail.gmail.com.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAF2xoWrUD%3Dv7bQtJh4CaBvp3f%2Bw6gvNbqiimPpTTNgOXwYBS2w%40mail.gmail.com.

Neha Gupta

unread,
Feb 1, 2018, 10:04:02 AM2/1/18
to cas-...@apereo.org
Hello Jérôme,

Thanks a lot for support.

So finally i was able to compile pac4j with the required changes but still not able to access ORCID login page. Still same problem is coming "There has been a problem with the server. If this problem persists please contact administrator"

After looking into the CAS traces i found out that the URL which CAS is building has "/" at the end of authorise and because of this ORCID login page is not getting displayed.

URL which CAS is building is below and is not accessible: -

http://www.orcid.org/oauth/authorize/?client_id=APP-UPW3FFH08YVI6YUJ&scope=%2Fa
uthenticate%2Fread-limited&response_type=code&redirect_uri=http%3A%2F%2Fidiv-dev1.inf-bb.uni-jena.de%3A8080%2Fcas%2Flogin%3Fclient_name%3Dorcid#show_login


The below URL after removing / is accessible: -

http://www.orcid.org/oauth/authorize?client_id=APP-UPW3FFH08YVI6YUJ&scope=%2Fa
uthenticate%2Fread-limited&response_type=code&redirect_uri=http%3A%2F%2Fidiv-dev1.inf-bb.uni-jena.de%3A8080%2Fcas%2Flogin%3Fclient_name%3Dorcid#show_login

Looking forward for your support on this.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

Jérôme LELEU

unread,
Feb 2, 2018, 10:46:29 AM2/2/18
to CAS Community
Hi,

Before fixing things in CAS, you should start to make it work in pac4j and run successfully a manual test like these ones: https://github.com/pac4j/pac4j/tree/master/pac4j-oauth/src/test/java/org/pac4j/oauth/run
Thanks.
Best regards,
Jérôme


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAF2xoWoxjpQ3iNOtj76hGYvXzvxORY3f1CeSvWkqcYbZ3FmpjA%40mail.gmail.com.

Neha Gupta

unread,
Feb 13, 2018, 4:53:42 AM2/13/18
to cas-...@apereo.org
Hello Jérôme,

Request you to please elaborate in more detail about how can i run these testcases.

I tried to solve the problem in pac4j (i.e. correcting the URL) but after that i am getting below error (Traces and Snapshot attached): -

org.pac4j.core.exception.TechnicalException: com.github.scribejava.core.model.OAuth2AccessTokenErrorResponse: {
  "error" : "invalid_request",
  "error_description" : "Public members are not allowed to use the Members API"
}

Request you to please give me more detail about the issue i.e. the place of its occurence whether the problem is at CAS side or pac4j side and how can i proceed further.

Regards
Neha Gupta

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAF2xoWoxjpQ3iNOtj76hGYvXzvxORY3f1CeSvWkqcYbZ3FmpjA%40mail.gmail.com.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LzQud7ELp7W%3DzqG19MeM8KiDkAE3ZVhiuHB31b8t22A7A%40mail.gmail.com.

Traces.txt
Error_Snapshot.png

Jérôme LELEU

unread,
Feb 14, 2018, 11:06:29 AM2/14/18
to CAS Community
Hi,

The problem happens at the pac4j level, but it is not because of pac4j. The identity provider returns a specific error which makes authentication impossible.

There must be some bad configuration: maybe you have public key and secret while you need member ones. It definitely feels like a functional error.

Thanks.
Best regards,
Jérôme


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

Neha Gupta

unread,
Feb 22, 2018, 7:03:28 AM2/22/18
to cas-...@apereo.org
Hello Jérôme,

I have written a mail to ORCID support and below is the reply from them: -

When do you get that error message? Is it when you try to exchange the 6 digit code for an access token? (I tried the link you sent and I'm able to authorize and see the 6 digit authorization code) If so, can you please send the full call you are using to exchange the code for an access token?

Request you to please answer the question or should i raise it in PAC4j support.

Thanks a lot for your support.


Regards
Neha Gupta


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LwT4_%2BZRd1Pmymsqf%3Dsr6e%2Bkane3h4DSRC8_s41NFiEJQ%40mail.gmail.com.

Jérôme LELEU

unread,
Feb 27, 2018, 9:19:18 AM2/27/18
to CAS Community
Hi,

OK. It happens during the access token call where I should trade the code for an access token returned as a JSON body which is what currently fails.

To be able to do the test, I need your secret. If you're willing to send it to me, please do that privately -> lel...@gmail.com

Thanks.
Best regards,
Jérôme


To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LwT4_%2BZRd1Pmymsqf%3Dsr6e%2Bkane3h4DSRC8_s41NFiEJQ%40mail.gmail.com.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAF2xoWo%2BGwPf7Kydin1fdghT-dhbh5%2BNQddDMKLSZD8Dxk-pXw%40mail.gmail.com.

Reply all
Reply to author
Forward
0 new messages