CAS 6.5.3 : OpenID Connect problem
104 views
Skip to first unread message
Said b
May 3, 2022, 9:49:06 AM5/3/22
to CAS Community
Hello,
I am using OpenID connect with CAS 6.1.7. I installed CAS 6.5.3 in test, but I get an error (Application not authorized to use CAS) while the service file is identical.
Is there a configuration change between 6.1 and 6.5? I don't see anything in the documentation.
Service file :
{
"id": 1624798320,
"name": "AppOIDC",
"description": "mobile app",
"evaluationOrder":99,
"@class": "org.apereo.cas.services.OidcRegisteredService",
"supportedGrantTypes": [
"java.util.HashSet",
[
"authorization_code",
"refresh_token"
]
],
"clientId": "mobileapp",
"clientSecret": "xxxxxxxxxxxxxxxxxxxxxxxxxx",
"serviceId": "^https://service.callback.oauth.domain.com$",
"scopes": [
"java.util.HashSet",
[
"profile",
"email",
"offline_access"
]
]
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", ["sn", "givenName" ] ]
},
}
"id": 1624798320,
"name": "AppOIDC",
"description": "mobile app",
"evaluationOrder":99,
"@class": "org.apereo.cas.services.OidcRegisteredService",
"supportedGrantTypes": [
"java.util.HashSet",
[
"authorization_code",
"refresh_token"
]
],
"clientId": "mobileapp",
"clientSecret": "xxxxxxxxxxxxxxxxxxxxxxxxxx",
"serviceId": "^https://service.callback.oauth.domain.com$",
"scopes": [
"java.util.HashSet",
[
"profile",
"email",
"offline_access"
]
]
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", ["sn", "givenName" ] ]
},
}
Regards.
Ray Bon
May 3, 2022, 11:56:39 AM5/3/22
to cas-...@apereo.org
Said,
Some of the property names may have changed.
Run this command to get the list of all properties:
./gradlew exportConfigMetadata
then search for the properties you are using.
Ray
On Tue, 2022-05-03 at 05:08 -0700, Said b wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose historical relationships with the land continue to this day.
wouldsmina
May 4, 2022, 11:41:13 AM5/4/22
to cas-...@apereo.org
Thank you Ray. the file contains nearly 80,000 lines... it's not going to be easy to find my way around. I will still try to find a solution, but if someone can guide me more, I'm interested.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b2c1e72d4e772cd0546ce898cf76ea5cace25b26.camel%40uvic.ca.
Ray Bon
May 4, 2022, 1:39:43 PM5/4/22
to cas-...@apereo.org
I meant search for the property that you are currently using.
There should be a note about the name of the new property.
Ray
wouldsmina
May 5, 2022, 4:54:19 AM5/5/22
to cas-...@apereo.org
I had no properties in cas.properties for oidc. I added cas.authn.oidc.core.issuer like in the documentation, but it doesn't change anything.
Cas.log and catalina.log return no warn on a replaced attribute and the service file is loaded correctly.
Looks like the regex in serviceId is not working (yet the same works on cas 6.1).
Regards.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8b624c61e6153b92b3457aa74e45741274a1adfb.camel%40uvic.ca.
Petr Fišer
May 5, 2022, 5:26:05 AM5/5/22
to wouldsmina, cas-...@apereo.org
Hello,
Do you have DEBUG logging enabled? Is there anything interesting in the logs?
Also, what is your setup? Are you running behind a proxy, perchance?
Cheers,
Fiisch
Do you have DEBUG logging enabled? Is there anything interesting in the logs?
Also, what is your setup? Are you running behind a proxy, perchance?
Cheers,
Fiisch
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNbTpSQeO9ZK6JKC4%2Bp3TZ_6bsbJYCLniYTtA8LsTAGi%2Bg%40mail.gmail.com.
Petr Fišer
May 5, 2022, 11:42:26 PM5/5/22
to wouldsmina, cas-...@apereo.org
Hello,
Do not focus on the service loading, look at the logs from the time you are actually trying to access the service. That should help you more.
Hm... your HTTPd does SSL offloading. That might be the case... I faced similar problem with my https/443 -> http/8080 proxy.
I am not sure if that applies to AJP proxying too, but i *think* AJP should transfer scheme information... anyway, I will describe the problem I was having. Just in case.
I was running https/443 (nGinx) -> http/8080 proxy (standalone Tomcat + CAS .war). Older CAS (6.2.x) was working fine with my OIDC configuration, newer (6.5.x) was not. I was getting the same error as you do.
My server prefix was https://am.something.tld/cas, so I set the OIDC Issuer to https://am.something.tld/cas/oidc . All good here.
In 6.5.x there is some additional matching/checking of the OIDC issuer against incoming OIDC requests and/or service callbacks in the CAS itself.
I got one line in the log which was something like:
the request https://am.something.tld/cas/oidc/authorize?=... does not match oidc issuer http://am.something.tld/cas/oidc
See the "http" in the matching rule where the "https" should be? The problem here was in bad uri scheme information getting to the CAS. CAS gets the info from X-Forwarded-Proto header, and from the Tomcat connector object (Java representation of the HTTP connector inside the application container). Basically, CAS thought I was running plain HTTP because the Tomcat connector obejct is plain http for the backend server and I was not giving it the X-Forwarded-Proto header.
I had to make sure my proxy is setting correct X-Forwarded-Proto and Tomcat propagates it to the application via RemoteIpValve.
Once I did this, things started working.
Cheers,
Fiisch
Do not focus on the service loading, look at the logs from the time you are actually trying to access the service. That should help you more.
Hm... your HTTPd does SSL offloading. That might be the case... I faced similar problem with my https/443 -> http/8080 proxy.
I am not sure if that applies to AJP proxying too, but i *think* AJP should transfer scheme information... anyway, I will describe the problem I was having. Just in case.
I was running https/443 (nGinx) -> http/8080 proxy (standalone Tomcat + CAS .war). Older CAS (6.2.x) was working fine with my OIDC configuration, newer (6.5.x) was not. I was getting the same error as you do.
My server prefix was https://am.something.tld/cas, so I set the OIDC Issuer to https://am.something.tld/cas/oidc . All good here.
In 6.5.x there is some additional matching/checking of the OIDC issuer against incoming OIDC requests and/or service callbacks in the CAS itself.
I got one line in the log which was something like:
the request https://am.something.tld/cas/oidc/authorize?=... does not match oidc issuer http://am.something.tld/cas/oidc
See the "http" in the matching rule where the "https" should be? The problem here was in bad uri scheme information getting to the CAS. CAS gets the info from X-Forwarded-Proto header, and from the Tomcat connector object (Java representation of the HTTP connector inside the application container). Basically, CAS thought I was running plain HTTP because the Tomcat connector obejct is plain http for the backend server and I was not giving it the X-Forwarded-Proto header.
I had to make sure my proxy is setting correct X-Forwarded-Proto and Tomcat propagates it to the application via RemoteIpValve.
Once I did this, things started working.
Cheers,
Fiisch
On 05/05/2022 02:01 PM, wouldsmina
wrote:
Hello Fiisch,
Yes debug logging is enabled, but nothing interesting. Service file is correctly loaded :[2022-05-05 12:10:03] [info] #033[36m2022-05-05 12:10:03,277 DEBUG [org.apereo.cas.services.resource.AbstractResourceBasedServiceRegistry] - <Attempting to read and parse [/etc/cas/services/appoidc-1624798320.json]>#033[m
[2022-05-05 12:10:03] [info] #033[36m2022-05-05 12:10:03,277 DEBUG [org.apereo.cas.oidc.services.OidcServiceRegistryListener] - <Mapped [email] to attribute release policy [OidcEmailScopeAttributeReleasePolicy]>#033[m
[2022-05-05 12:10:03] [info] #033[36m2022-05-05 12:10:03,277 DEBUG [org.apereo.cas.oidc.services.OidcServiceRegistryListener] - <Mapped [profile] to attribute release policy [OidcProfileScopeAttributeReleasePolicy]>#033[m
[2022-05-05 12:10:03] [info] #033[36m2022-05-05 12:10:03,277 DEBUG [org.apereo.cas.oidc.services.OidcServiceRegistryListener] - <Given scope [offline_access], service [1624798320] is marked to generate refresh tokens>#033[m
The CAS server is behind a proxy (apache) like my CAS 6.1 :
<VirtualHost *:443>
ServerAdmin s...@domain.fr
ServerName cas-test.domain.fr
DocumentRoot /var/www/cas-test
AccessFileName .htaccess
<Directory />
Options FollowSymLinks
AllowOverride None
Allow from all
</Directory>
<Directory /var/www/>
Options FollowSymLinks MultiViews
AllowOverride AuthConfig
Order allow,deny
Allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/cas-test-error.log
CustomLog ${APACHE_LOG_DIR}/cas-test-ssl_access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
SSLEngine on
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch ".*.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
ProxyPass /cas ajp://spartana-b2.domain.fr:8010/cas
</VirtualHost>
Regards.
wouldsmina
May 5, 2022, 11:42:26 PM5/5/22
to Petr Fišer, cas-...@apereo.org
wouldsmina
May 5, 2022, 11:42:26 PM5/5/22
to Petr Fišer, cas-...@apereo.org
I don't get any info log when I try to access the service (which I find weird by the way). Debug return :
2022-05-05 15:05:18,699 DEBUG [org.springframework.security.web.FilterChainProxy] - <Securing GET /oidc/authorize?response_type=code&redirect_uri=https%3A%2F%2Fxxxx.callback.oauth.domain.com&scope=openid+email+profile+offline_access&state=abcdef&client_id=appoidc>
2022-05-05 15:05:18,699 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] - <Set SecurityContextHolder to empty SecurityContext>
2022-05-05 15:05:18,699 DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] - <Set SecurityContextHolder to anonymous SecurityContext>
2022-05-05 15:05:18,699 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] - <Authorized public object filter invocation [GET /oidc/authorize?response_type=code&redirect_uri=https%3A%2F%2Fxxxx.callback.oauth.domain.com&scope=openid+email+profile+offline_access&state=abcdef&client_id=appoidc]>
2022-05-05 15:05:18,699 DEBUG [org.springframework.security.web.FilterChainProxy] - <Secured GET /oidc/authorize?response_type=code&redirect_uri=https%3A%2F%2Fxxxx.callback.oauth.domain.com&scope=openid+email+profile+offline_access&state=abcdef&client_id=appoidc>
2022-05-05 15:05:18,721 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - <Did not store anonymous SecurityContext>
2022-05-05 15:05:18,722 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - <Did not store anonymous SecurityContext>
2022-05-05 15:05:18,722 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] - <Cleared SecurityContextHolder to complete request>
2022-05-05 15:05:18,699 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] - <Set SecurityContextHolder to empty SecurityContext>
2022-05-05 15:05:18,699 DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] - <Set SecurityContextHolder to anonymous SecurityContext>
2022-05-05 15:05:18,699 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] - <Authorized public object filter invocation [GET /oidc/authorize?response_type=code&redirect_uri=https%3A%2F%2Fxxxx.callback.oauth.domain.com&scope=openid+email+profile+offline_access&state=abcdef&client_id=appoidc]>
2022-05-05 15:05:18,699 DEBUG [org.springframework.security.web.FilterChainProxy] - <Secured GET /oidc/authorize?response_type=code&redirect_uri=https%3A%2F%2Fxxxx.callback.oauth.domain.com&scope=openid+email+profile+offline_access&state=abcdef&client_id=appoidc>
2022-05-05 15:05:18,721 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - <Did not store anonymous SecurityContext>
2022-05-05 15:05:18,722 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - <Did not store anonymous SecurityContext>
2022-05-05 15:05:18,722 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] - <Cleared SecurityContextHolder to complete request>
even if i don't see any error in the logs, my problem could be the same as yours... I'm going to define the X-Forwarded-Proto in the apache virtualHost.
Thank you for your advice.
wouldsmina
May 5, 2022, 11:42:26 PM5/5/22
to Petr Fišer, cas-...@apereo.org
Good news, I found the solution. Ray gave me good directions, I had to configure cas.authn.oidc.core.issuer... and Fiish you also helped me by talking about the proxy! cas.authn.oidc.core.issuer must contain the address of the proxy and not of the tomcat server.
Thanks to you two for helping me.
Reply all
Reply to author
Forward
0 new messages