OpenID Connect (pac4j integration) simultaneous login in several windows/tabs fails

49 views
Skip to first unread message

mlabib

unread,
Mar 24, 2020, 6:34:15 AM3/24/20
to CAS Community
Hi group,

since I am not sure where to better report a bug, I am doing it here. I am also looking for advice if the pac4j issue tracker might be a better place to report.

We are using CAS Server 6.1.5 to federate the customer login to several of our services via OpenID Connect.

It came to our attention that if a yet unauthenticated user opens several services at once in different windows/tabs of the same browser. Only the first authentication process attempted will succeed. Submission of a second still open login form will result in the display of the error message "Error: No message available".

In the first submission of the credentials the POST to /cas/login will send a redirect (302) to
/cas/oauth2.0/callbackAuthorize which in turn will redirect to
/cas/oidc/authorize which will finally redirect to the service.

In the second submission of the credentials the POST will also send a redirect to
/cas/oauth2.0/callbackAuthorize, which will use and invalidate the issued service ticket and send a redirect to
/cas/oauth2.0/callbackAuthorize again (NOT to
/cas/oidc/authorize). On the second call of
/cas/oauth2.0/callbackAuthorize the supplied ticket is already invalidated and gives rise to a org.apereo.cas.ticket.InvalidTicketException and in turn to the
"Error: No message available" error presented to the user.

I tried changing cas.authn.oauth.replicateSessions to true, which resulted in no change to the problem.

Any input would be greatly appreciated!

Thanks,
Marcus

Jérôme LELEU

unread,
Mar 24, 2020, 7:10:42 AM3/24/20
to cas-...@apereo.org
Hi,

I'm not surprised of this issue. pac4j relies on one session (distributed or not) to perform a login process.

When starting the login process in a tab, you put some data in the session. If meanwhile, in another tab, a login process is performed, the previous data have been erased and the first login process can't happen correctly in the first tab.

Thanks.
Best regards,
Jérôme


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c4f2cc5a-a4d1-4717-8acd-fbc340fc41db%40apereo.org.

mlabib

unread,
Mar 24, 2020, 8:55:51 AM3/24/20
to CAS Community
Thanks, Jérôme,

for the explanation.

As I understand it there would have to be more state to be pushed around to fix the issue - maybe even the session made unnecessary?

Still I am quite unsure where this should be discussed. Do you think this qualifies as a pac4j issue? Should I open a CAS PR?

Best regards,
Marcus

Jérôme LELEU

unread,
Mar 24, 2020, 9:39:36 AM3/24/20
to cas-...@apereo.org
Hi,

We should have a session per tab if ever it's possible or no session at all.
But this is definitely a hard topic, I'm not sure it's worth the deal to work on that.

In any case, it's more a pac4j issue than a CAS one, you would have the same problem with all pac4j implementations (JEE, Shiro, Play, Vertx...)
Let's move that discussion to the pac4j dev mailing list: https://groups.google.com/forum/?fromgroups#!forum/pac4j-dev

Thanks.
Best regards,
Jérôme

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
Reply all
Reply to author
Forward
0 new messages