CAS 5.3, OIDC redirect back to root when using bookmarks

[Yan Zhou]

Hello,

We noticed an issue on CAS 5.3 with OIDC.  I finally realized what maybe going on, but do not have a solution.  

App uses CAS for authentication via OIDC, App redirects to CAS login page. When people bookmark the apps, the first opportunity they have is the CAS login page, the URL usually reads like this:

https://....../cas/login?service=https://app.com

Next time, they use the bookmark and go straight to this URL, as oppose to let App redirect to CAS.  This is where the problem comes with OIDC. 

Here is the flow when user type up the App endpoint in browser and let App redirect:

GET /cas/oidc/authorize/......  (this is due to the OIDC client in App side, crucial first step)

GET /cas/login?service=.....cas/oauth2.0/callbackAuthorize/....  

login page shows up, user bookmarks it, and enter credentials

POST /cas/login?service=.....cas/oauth2.0/callbackAuthorize/....

GET /cas5/p3/serviceValidate?ticket=

GET /cas5/oauth2.0/callbackAuthorize?client_id=

GET /cas5/oidc/authorize?client_id=

After user logout, and close browser,  Restart browser, they use the saved bookmark. Now the flow is showing CAS login page immediately without going through the first endpoint on /odic/authorize (see above).

When user login, they are redirected to root  /,  as oppose to proceed to /oidc/authorize endpoint, this is due to how pac4j works. it almost like a stack pushing/popping, and we did not anything to pop, so we default to root.   The root is usually the wrong page, such as the Tomcat welcome page or the domain root. 

This is fairly consistently seen on IE. 

Does that make sense?   I think this could be happening with any bookmarked CAS login page with service parameter and will be seen in OIDC client apps. 

Any idea to work around or fix this?

Thanks,

Yan

[Ray Bon]

Yan,

A partial solution is 'cas.view.default-redirect-url' which can be found here, https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties.html#views. Lets you specify where to go when no service param is supplied.

Ray

On Fri, 2021-01-29 at 13:21 -0800, Yan Zhou wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

[Emilian Mitocariu]

Hi,

Any idea if there's a way to whitelist some IPs for which `cas.view.default-redirect-url` does not apply?

I know this might be a long shot, but it can't hurt to ask.