[7.2.3] OIDC problems
249 views
Skip to first unread message
spfma...@e.mail.fr
Jun 27, 2025, 2:03:35 PM6/27/25
to cas-...@apereo.org
Hi,
I was using the following configuration with CAS 7.0.5.1 :
#################
# OIDC / OAuth2 #
#################
cas.authn.token.crypto.enabled=false
cas.authn.token.crypto.encryption-enabled=false
cas.authn.oauth.session-replication.cookie.crypto.signing.key=H7-MYjp5M2e9hq_DIhOdR73X1cfTaabRFowiLJI0LhC4Cbb4FVNDFV30yJn0i9q68QWS0y3f1OTfJ9nno_Hjuw
cas.authn.oidc.core.issuer=${cas.server.prefix}/oidc
cas.authn.oidc.core.accepted-issuers-pattern=.*
# OIDC / OAuth2 #
#################
cas.authn.token.crypto.enabled=false
cas.authn.token.crypto.encryption-enabled=false
cas.authn.oauth.session-replication.cookie.crypto.signing.key=H7-MYjp5M2e9hq_DIhOdR73X1cfTaabRFowiLJI0LhC4Cbb4FVNDFV30yJn0i9q68QWS0y3f1OTfJ9nno_Hjuw
cas.authn.oidc.core.issuer=${cas.server.prefix}/oidc
cas.authn.oidc.core.accepted-issuers-pattern=.*
cas.authn.oauth.crypto.encryption.key=0ZJCKvFSVO6PUKlzUqWzE5eXDerK_T7G1oSfGHfaAGM
cas.authn.oauth.crypto.signing.key=_d6j3pacsAy_V7WP55RB-H0HtwfSawKav6aV8rUPuRPBDqDhAeJXpqjrtZwqTiUPkNOz2jcb5nLqJJ73ygqROw
cas.authn.oauth.access-token.crypto.encryption.key=8wK97XDbYzeDhSzZgfcFWp3SHW_Lr-h69cGtWYZjJz0
cas.authn.oidc.core.user-defined-scopes.memberof=memberof
cas.authn.oidc.discovery.scopes=openid,profile,email,address,phone,memberof
cas.authn.oidc.discovery.claims=sub,name,email,family_name,given_name,memberof
cas.authn.oidc.id-token.include-id-token-claims=true
cas.authn.oauth.crypto.signing.key=_d6j3pacsAy_V7WP55RB-H0HtwfSawKav6aV8rUPuRPBDqDhAeJXpqjrtZwqTiUPkNOz2jcb5nLqJJ73ygqROw
cas.authn.oauth.access-token.crypto.encryption.key=8wK97XDbYzeDhSzZgfcFWp3SHW_Lr-h69cGtWYZjJz0
cas.authn.oidc.core.user-defined-scopes.memberof=memberof
cas.authn.oidc.discovery.scopes=openid,profile,email,address,phone,memberof
cas.authn.oidc.discovery.claims=sub,name,email,family_name,given_name,memberof
cas.authn.oidc.id-token.include-id-token-claims=true
cas.authn.oidc.core.claims-map.email=mail
cas.authn.oidc.core.claims-map.memberof=memberOf
cas.authn.oidc.core.claims-map.name=cn
cas.authn.oidc.core.claims-map.family_name=sn
cas.authn.oidc.core.claims-map.given_name=givenName
cas.authn.oidc.core.claims-map.sub=uidNumber
cas.authn.oidc.core.claims-map.memberof=memberOf
cas.authn.oidc.core.claims-map.name=cn
cas.authn.oidc.core.claims-map.family_name=sn
cas.authn.oidc.core.claims-map.given_name=givenName
cas.authn.oidc.core.claims-map.sub=uidNumber
cas.authn.oidc.jwks.file-system.jwks-file=file:///etc/cas/config/keystore.jwks
There was no problem to authentify a service like this Gitea instance :
{
"@class" : "org.apereo.cas.services.OidcRegisteredService",
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "sn", "givenName", "displayName", "mail"] ]
},
"clientId": "gitea01",
"clientSecret": "862E68E1-3973-40AF-BEB0-5A981C901F37",
"supportedResponseTypes": [ "java.util.HashSet", [ "code", "id_token" ] ],
"scopes" : [ "java.util.HashSet", [ "openid", "profile", "email", "memberof" ] ],
"@class" : "org.apereo.cas.services.OidcRegisteredService",
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "sn", "givenName", "displayName", "mail"] ]
},
"clientId": "gitea01",
"clientSecret": "862E68E1-3973-40AF-BEB0-5A981C901F37",
"supportedResponseTypes": [ "java.util.HashSet", [ "code", "id_token" ] ],
"scopes" : [ "java.util.HashSet", [ "openid", "profile", "email", "memberof" ] ],
"serviceId" : "https://my_gitea_server/user/oauth2/SSODEV_OIDC/callback(.*)",
"name" : "gitea01",
"description" : "GITEA Infra test",
"evaluationOrder" : 5,
"allowedToProxy" : false,
"anonymousAccess" : false,
"ignoreAttributes" : false,
"multifactorPolicy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"bypassEnabled": false,
"forceExecution": false
},
"accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true,
"caseInsensitive" : false
},
"id" : 5
}
"name" : "gitea01",
"description" : "GITEA Infra test",
"evaluationOrder" : 5,
"allowedToProxy" : false,
"anonymousAccess" : false,
"ignoreAttributes" : false,
"multifactorPolicy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"bypassEnabled": false,
"forceExecution": false
},
"accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true,
"caseInsensitive" : false
},
"id" : 5
}
But with 7.2.3, I can not pass the login form, it loops on it.
And I have seen this expection in the logs :
2025-06-27 18:27:29,830 WARN [org.apereo.cas.web.support.gen.CookieRetrievingCookieGenerator] - <DecryptionException>
org.apereo.cas.util.crypto.DecryptionException: null
at org.apereo.cas.util.EncodingUtils.decryptJwtValue(EncodingUtils.java:480) ~[cas-server-core-util-api-7.2.3.jar:7.2.3]
at org.apereo.cas.util.cipher.BaseStringCipherExecutor.verifyAndDecrypt(BaseStringCipherExecutor.java:283) ~[cas-server-core-util-api-7.2.3.jar:7.2.3]
at org.apereo.cas.util.cipher.BaseStringCipherExecutor.decode(BaseStringCipherExecutor.java:129) ~[cas-server-core-util-api-7.2.3.jar:7.2.3]
at org.apereo.cas.util.cipher.BaseStringCipherExecutor.decode(BaseStringCipherExecutor.java:123) ~[cas-server-core-util-api-7.2.3.jar:7.2.3]
at org.apereo.cas.util.cipher.BaseStringCipherExecutor.decode(BaseStringCipherExecutor.java:37) ~[cas-server-core-util-api-7.2.3.jar:7.2.3]
at org.apereo.cas.web.support.mgmr.EncryptedCookieValueManager.obtainCookieValue(EncryptedCookieValueManager.java:52) ~[cas-server-core-cookie-api-7.2.3.jar:7.2.3]
at org.apereo.cas.web.cookie.CookieValueManager.obtainCookieValue(CookieValueManager.java:42) ~[cas-server-core-api-cookie-7.2.3.jar:7.2.3]
at org.apereo.cas.web.support.gen.CookieRetrievingCookieGenerator.lambda$retrieveCookieValue$0(CookieRetrievingCookieGenerator.java:150) ~[cas-server-core-cookie-api-7.2.3.jar:7.2.3]
at java.base/java.util.Optional.map(Optional.java:260) ~[?:?]
at org.apereo.cas.web.support.gen.CookieRetrievingCookieGenerator.retrieveCookieValue(CookieRetrievingCookieGenerator.java:150) ~[cas-server-core-cookie-api-7.2.3.jar:7.2.3]
at org.apereo.cas.web.flow.login.VerifyRequiredServiceAction.doExecuteInternal(VerifyRequiredServiceAction.java:47) ~[cas-server-support-actions-core-7.2.3.jar
org.apereo.cas.util.crypto.DecryptionException: null
at org.apereo.cas.util.EncodingUtils.decryptJwtValue(EncodingUtils.java:480) ~[cas-server-core-util-api-7.2.3.jar:7.2.3]
at org.apereo.cas.util.cipher.BaseStringCipherExecutor.verifyAndDecrypt(BaseStringCipherExecutor.java:283) ~[cas-server-core-util-api-7.2.3.jar:7.2.3]
at org.apereo.cas.util.cipher.BaseStringCipherExecutor.decode(BaseStringCipherExecutor.java:129) ~[cas-server-core-util-api-7.2.3.jar:7.2.3]
at org.apereo.cas.util.cipher.BaseStringCipherExecutor.decode(BaseStringCipherExecutor.java:123) ~[cas-server-core-util-api-7.2.3.jar:7.2.3]
at org.apereo.cas.util.cipher.BaseStringCipherExecutor.decode(BaseStringCipherExecutor.java:37) ~[cas-server-core-util-api-7.2.3.jar:7.2.3]
at org.apereo.cas.web.support.mgmr.EncryptedCookieValueManager.obtainCookieValue(EncryptedCookieValueManager.java:52) ~[cas-server-core-cookie-api-7.2.3.jar:7.2.3]
at org.apereo.cas.web.cookie.CookieValueManager.obtainCookieValue(CookieValueManager.java:42) ~[cas-server-core-api-cookie-7.2.3.jar:7.2.3]
at org.apereo.cas.web.support.gen.CookieRetrievingCookieGenerator.lambda$retrieveCookieValue$0(CookieRetrievingCookieGenerator.java:150) ~[cas-server-core-cookie-api-7.2.3.jar:7.2.3]
at java.base/java.util.Optional.map(Optional.java:260) ~[?:?]
at org.apereo.cas.web.support.gen.CookieRetrievingCookieGenerator.retrieveCookieValue(CookieRetrievingCookieGenerator.java:150) ~[cas-server-core-cookie-api-7.2.3.jar:7.2.3]
at org.apereo.cas.web.flow.login.VerifyRequiredServiceAction.doExecuteInternal(VerifyRequiredServiceAction.java:47) ~[cas-server-support-actions-core-7.2.3.jar
Is there something I need to configure, maybe a parameter with a new default value I had never set before ?
Thanks for any help
Regards
FreeMail powered by mail.fr
AJ
Jun 27, 2025, 2:09:59 PM6/27/25
to cas-...@apereo.org
There should be more to that error. Send the start of the trace. There was an issue involving crypto keys from 7.0 to 7.1/7.2.
From: spfma.tech via CAS Community <cas-...@apereo.org>
Sent: Friday, June 27, 2025 12:34 PM
To: cas-...@apereo.org <cas-...@apereo.org>
Subject: [cas-user] [7.2.3] OIDC problems
Sent: Friday, June 27, 2025 12:34 PM
To: cas-...@apereo.org <cas-...@apereo.org>
Subject: [cas-user] [7.2.3] OIDC problems
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/bfb83d961fe97ff9679fdf9ba883b30d627dee0a%40mail.de.
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/bfb83d961fe97ff9679fdf9ba883b30d627dee0a%40mail.de.
Ray Bon
Jun 27, 2025, 3:25:17 PM6/27/25
to cas-...@apereo.org
It is possible that the default length of keys has changed.
Try generating new keys or set the key length. See
https://apereo.github.io/cas/7.2.x/authentication/OAuth-Authentication.html
Ray
From: spfma.tech via CAS Community <cas-...@apereo.org>
Sent: June 27, 2025 09:34
--
AJ
Jun 27, 2025, 4:24:12 PM6/27/25
to cas-...@apereo.org, cas-...@apereo.org
This is exactly the issue. I remember having to do this.
On Jun 27, 2025, at 3:25 PM, Ray Bon <rb...@uvic.ca> wrote:
spfma...@e.mail.fr
Jul 11, 2025, 10:31:17 AM7/11/25
to cas-...@apereo.org
Hi,
Thank you very much, two keys needed to be replaced (cas.tgc.crypto.encryption.key and cas.authn.oauth.session-replication.cookie.crypto.encryption.key).
As I don't know how to generate new ones, I blanked them and copy/pasted the ones generated by CAS at startup.
Regards
Reply all
Reply to author
Forward
0 new messages