Oauth2 duplicate service definition

[Cliff Ingham]

CAS is creating a new, duplicate service definition for OAuth every time it starts up.  Has anyone else seen this behavior?  Is there some configuration I'm missing?

CAS 5.2  running in Tomcat

2018-01-08 09:24:40,006 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [3] service(s) from [JsonServiceRegistryDao].>
Exception in thread "JsonServiceRegistryDao" java.lang.NullPointerException
        at org.apereo.cas.services.AbstractResourceBasedServiceRegistryDao.lambda$enableServicesDirectoryPathWatcher$4(AbstractResourceBasedServiceRegistryDao.java:156)
        at org.apereo.cas.util.io.PathWatcherService.lambda$handleEvent$3(PathWatcherService.java:143)
        at java.util.stream.ForEachOps$ForEachOp$OfRef.accept(ForEachOps.java:184)
        at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:175)
        at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1380)
        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
        at java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:151)
        at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:174)
        at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:418)
        at org.apereo.cas.util.io.PathWatcherService.handleEvent(PathWatcherService.java:130)
        at org.apereo.cas.util.io.PathWatcherService.run(PathWatcherService.java:102)
        at java.lang.Thread.run(Thread.java:748)
2018-01-08 09:24:42,233 WARN [org.apereo.inspektr.common.spi.DefaultClientInfoResolver] - <No ClientInfo could be found.  Returning empty ClientInfo object.>
2018-01-08 09:24:42,240 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: id=4051071662286337436,name=RegexRegisteredService,description=OAuth Authentication Callback Request URL,serviceId=https:/...
ACTION: SAVE_SERVICE_SUCCESS
APPLICATION: CAS
WHEN: Mon Jan 08 09:24:42 EST 2018
CLIENT IP ADDRESS: unknown
SERVER IP ADDRESS: unknown
=============================================================

>
2018-01-08 09:24:43,702 WARN [org.apereo.cas.services.AbstractResourceBasedServiceRegistryDao] - <Found a service definition [https://drifter.bloomington.in.gov/cas/oauth2.0/callbackAuthorize.*] with a duplicate id [4051071662286337536]. This will overwrite previous service definitions and is likely a configuration problem. Make sure all services have a unique id and try again.>
2018-01-08 09:24:55,958 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Secret key for encryption is not defined for [Ticket-granting Cookie]; CAS will attempt to auto-generate the encryption key>
2018-01-08 09:24:55,967 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated encryption key [Cl6FqZ1WSndBfZKhTs-c9ml4YbTIpU64Mqz6mSuP_LU] of size [256] for [Ticket-granting Cookie]. The generated key MUST be added to CAS settings under setting [cas.tgc.crypto.encryption.key].>
2018-01-08 09:24:55,970 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Secret key for signing is not defined for [Ticket-granting Cookie]. CAS will attempt to auto-generate the signing key>
2018-01-08 09:24:55,971 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated signing key [ckFJRKYSRPI1VaG4VNjR2V2jmNufiK-pY0UW3wMGnFn25UUpXdxaG9y2CZc_pnG71NMilm0HRi_qDukJNwij4g] of size [512] for [Ticket-granting Cookie]. The generated key MUST be added to CAS settings under setting [cas.tgc.crypto.signing.key].>
2018-01-08 09:24:56,486 WARN [org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - <Secret key for signing is not defined under [cas.webflow.crypto.signing.key]. CAS will attempt to auto-generate the signing key>
2018-01-08 09:24:56,486 WARN [org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - <Generated signing key [ONuBkWF7LG-0JQtRppX4oC4P9v7z5v0DWwWWsTgYZXL7L1yBzK1XiDlEcalLY4PbxVlR0dGj-CkNnGG3JNXEjA] of size [512]. The generated key MUST be added to CAS settings under setting [cas.webflow.crypto.signing.key].>
2018-01-08 09:24:56,486 WARN [org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - <Secret key for encryption is not defined under [cas.webflow.crypto.encryption.key]. CAS will attempt to auto-generate the encryption key>
2018-01-08 09:24:56,489 WARN [org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - <Generated encryption key [AE1Vbp-g8qaURbr8oCERSw] of size [16]. The generated key MUST be added to CAS settings under setting [cas.webflow.crypto.encryption.key].>
08-Jan-2018 09:24:56.599 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [/srv/webapps/cas.war] has finished in [36,557] ms
08-Jan-2018 09:24:56.602 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"]
08-Jan-2018 09:24:56.608 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["ajp-nio-8009"]
08-Jan-2018 09:24:56.609 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 62503 ms
2018-01-08 09:25:40,014 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [4] service(s) from [JsonServiceRegistryDao].>

[Kirill Gagarski]

If you are still interested I've faced the same problem and managed to solve it.

Here is the code responsible for registering OAuth service to CAS.

@PostConstruct
public void initializeServletApplicationContext() {
    final String oAuthCallbackUrl = casProperties.getServer().getPrefix() + BASE_OAUTH20_URL + '/' + CALLBACK_AUTHORIZE_URL_DEFINITION;


    final Service callbackService = this.webApplicationServiceFactory.createService(oAuthCallbackUrl);
    final RegisteredService svc = servicesManager.findServiceBy(callbackService);


    if (svc == null || !svc.getServiceId().equals(oAuthCallbackUrl)) {
        // Register a new service
        // ...
    }
}

When CAS is first started after enabling OAuth support, svc is null, so the new service is created. The next time it should be able to find this service in the registry and match its serviceId. My problem was that I have created a wildcard service for debugging purposes:

--- !<org.apereo.cas.services.RegexRegisteredService>
serviceId: ".*"
name: "any"
id: 1000
description: "Any Service"
attributeReleasePolicy: !<org.apereo.cas.services.ReturnAllAttributeReleasePolicy>
  authorizedToReleaseProxyGrantingTicket: true
accessStrategy: !<org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy>
  enabled: true
  ssoEnabled: true
proxyPolicy: !<org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy>
  pattern: ".*"
allowedAttributes:
  employeeID

And this service was the one found by servicesManager.findServiceBy(callbackService) (wildcard service definitely matches the callback URL). So the thing you should do is to remove this wildcard service or make it a bit less wildcard with some dark regex magic (this part is left as an exercise for the reader).