CAS 6.0.1 Azure AD Oauth2 issue

[John Ng]

Hi,

I am trying to configure CAS 6.0.1 to delegate to Azure AD using Oauth2

My overlay build.gradle contains the following:

dependencies {
    compile "org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}"
    compile "org.apereo.cas:cas-server-support-pac4j-webflow:${project.'cas.version'}"
}

My cas.properties contains the following:

cas.authn.pac4j.oauth2[0].id=aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
cas.authn.pac4j.oauth2[0].secret=mysecret
cas.authn.pac4j.oauth2[0].authUrl=https://login.microsoftonline.com/common/oauth2/authorize
cas.authn.pac4j.oauth2[0].tokenUrl=https://login.microsoftonline.com/common/oauth2/token
cas.authn.pac4j.oauth2[0].clientName=AzureAD

I have added the CAS redirect URL to the allowed Reply URLs for the App registration in Azure AD.

When I point my browser at CAS:

1. My browser is redirected to Azure AD.
2. I login to Azure AD.
3. My browser is redirected back to CAS.

However, at that point CAS fails to complete the login, and the following error is displayed in the log.

2019-03-06 11:04:52,337 DEBUG [org.pac4j.oauth.credentials.extractor.OAuth20CredentialsExtractor] - <sessionState: TST-1-uwQC-bMB6BHZNkzhpUtVfKZDZhtiHf9R / stateParameter: TST-1-uwQC-bMB6BHZNkzhpUtVfKZDZhtiHf9R>
2019-03-06 11:04:52,337 DEBUG [org.pac4j.oauth.credentials.extractor.OAuth20CredentialsExtractor] - <code: AQABAAIAAACEfexXxjamQb3OeGQ4GugvwYgFHYRZxIL1IOezVY3ljBAbpR2DyzQQn4IaRQr01EPGQAGlQOQEepuEe3ndxRh8UX1OAB2zeIJ0Wf1Zu3xbN5KA6aGzGY0PDDcTuk5nx1gfhIZBbxibSRRidqhhCU-mhYY-lgie48PhAge30b214EBYBfhhqZz6jZk9KjkkjRuKkiYRNSl0yF__Z8gwffML09WzSaB6pPBuxRWUL79lXr9KqBYo4L6IkysMOqt2PGGZDJJRKcC6SruDgjuVCynJ7k8TIi0CdHCMQWDahHpMXWMkQycfJheACNHnXjQOk-meLqKS9LGeqMTBQPsBtnmBLwFeuwCH0vavzfkSbBpOvjwVnQeS16Gwp490ZkGEKEFtO5RBRA_nqtpMZoTNTe7TXrjdXiChoASALT8zaddPXP9wN1DErR1z99r8DldEkA4qM3-ULzKtrhBDGOG7qrmYo9KSq_qqUs0NM7i0wNwxTrQ9Q6qEGfC46t3NqBOTDBoHtY5KHS2p3GlvlSHjMg8DIO9dGphGHC5L-p5Jfjn-awwYsnDQ62P4n2d4tSHLqNcgAA>
2019-03-06 11:04:52,337 DEBUG [org.pac4j.oauth.credentials.authenticator.OAuth20Authenticator] - <code: AQABAAIAAACEfexXxjamQb3OeGQ4GugvwYgFHYRZxIL1IOezVY3ljBAbpR2DyzQQn4IaRQr01EPGQAGlQOQEepuEe3ndxRh8UX1OAB2zeIJ0Wf1Zu3xbN5KA6aGzGY0PDDcTuk5nx1gfhIZBbxibSRRidqhhCU-mhYY-lgie48PhAge30b214EBYBfhhqZz6jZk9KjkkjRuKkiYRNSl0yF__Z8gwffML09WzSaB6pPBuxRWUL79lXr9KqBYo4L6IkysMOqt2PGGZDJJRKcC6SruDgjuVCynJ7k8TIi0CdHCMQWDahHpMXWMkQycfJheACNHnXjQOk-meLqKS9LGeqMTBQPsBtnmBLwFeuwCH0vavzfkSbBpOvjwVnQeS16Gwp490ZkGEKEFtO5RBRA_nqtpMZoTNTe7TXrjdXiChoASALT8zaddPXP9wN1DErR1z99r8DldEkA4qM3-ULzKtrhBDGOG7qrmYo9KSq_qqUs0NM7i0wNwxTrQ9Q6qEGfC46t3NqBOTDBoHtY5KHS2p3GlvlSHjMg8DIO9dGphGHC5L-p5Jfjn-awwYsnDQ62P4n2d4tSHLqNcgAA>
2019-03-06 11:04:53,522 DEBUG [org.pac4j.oauth.credentials.authenticator.OAuth20Authenticator] - <accessToken: com.github.scribejava.core.model.OAuth2AccessToken@6a3ddd2e>
2019-03-06 11:04:53,522 DEBUG [org.pac4j.oauth.client.GenericOAuth20Client] - <Credentials validation took: 1185 ms>
2019-03-06 11:04:53,522 INFO [org.apereo.cas.web.flow.DelegatedClientAuthenticationAction] - <Credentials are successfully authenticated using the delegated client [AzureAD]>
2019-03-06 11:04:53,539 DEBUG [org.pac4j.oauth.client.GenericOAuth20Client] - <credentials : #OAuth20Credentials# | code: AQABAAIAAACEfexXxjamQb3OeGQ4GugvwYgFHYRZxIL1IOezVY3ljBAbpR2DyzQQn4IaRQr01EPGQAGlQOQEepuEe3ndxRh8UX1OAB2zeIJ0Wf1Zu3xbN5KA6aGzGY0PDDcTuk5nx1gfhIZBbxibSRRidqhhCU-mhYY-lgie48PhAge30b214EBYBfhhqZz6jZk9KjkkjRuKkiYRNSl0yF__Z8gwffML09WzSaB6pPBuxRWUL79lXr9KqBYo4L6IkysMOqt2PGGZDJJRKcC6SruDgjuVCynJ7k8TIi0CdHCMQWDahHpMXWMkQycfJheACNHnXjQOk-meLqKS9LGeqMTBQPsBtnmBLwFeuwCH0vavzfkSbBpOvjwVnQeS16Gwp490ZkGEKEFtO5RBRA_nqtpMZoTNTe7TXrjdXiChoASALT8zaddPXP9wN1DErR1z99r8DldEkA4qM3-ULzKtrhBDGOG7qrmYo9KSq_qqUs0NM7i0wNwxTrQ9Q6qEGfC46t3NqBOTDBoHtY5KHS2p3GlvlSHjMg8DIO9dGphGHC5L-p5Jfjn-awwYsnDQ62P4n2d4tSHLqNcgAA | accessToken: com.github.scribejava.core.model.OAuth2AccessToken@6a3ddd2e |>
2019-03-06 11:04:53,539 DEBUG [org.pac4j.oauth.profile.creator.OAuth20ProfileCreator] - <accessToken: com.github.scribejava.core.model.OAuth2AccessToken@6a3ddd2e / dataUrl: null>
2019-03-06 11:04:53,541 ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [ClientCredential(credentials=#OAuth20Credentials# | code: AQABAAIAAACEfexXxjamQb3OeGQ4GugvwYgFHYRZxIL1IOezVY3ljBAbpR2DyzQQn4IaRQr01EPGQAGlQOQEepuEe3ndxRh8UX1OAB2zeIJ0Wf1Zu3xbN5KA6aGzGY0PDDcTuk5nx1gfhIZBbxibSRRidqhhCU-mhYY-lgie48PhAge30b214EBYBfhhqZz6jZk9KjkkjRuKkiYRNSl0yF__Z8gwffML09WzSaB6pPBuxRWUL79lXr9KqBYo4L6IkysMOqt2PGGZDJJRKcC6SruDgjuVCynJ7k8TIi0CdHCMQWDahHpMXWMkQycfJheACNHnXjQOk-meLqKS9LGeqMTBQPsBtnmBLwFeuwCH0vavzfkSbBpOvjwVnQeS16Gwp490ZkGEKEFtO5RBRA_nqtpMZoTNTe7TXrjdXiChoASALT8zaddPXP9wN1DErR1z99r8DldEkA4qM3-ULzKtrhBDGOG7qrmYo9KSq_qqUs0NM7i0wNwxTrQ9Q6qEGfC46t3NqBOTDBoHtY5KHS2p3GlvlSHjMg8DIO9dGphGHC5L-p5Jfjn-awwYsnDQ62P4n2d4tSHLqNcgAA | accessToken: com.github.scribejava.core.model.OAuth2AccessToken@6a3ddd2e |, clientName=AzureAD, typedIdUsed=true, userProfile=null)] of type [ClientCredential]. Examine the configuration to ensure a method of authentication is defined and analyze CAS logs at DEBUG level to trace the authentication event.>

Any ideas what I'm doing wrong?