Hi group,
since I am not sure where to better report a bug, I am doing it here. I am also looking for advice if the pac4j issue tracker might be a better place to report.
We are using CAS Server 6.1.5 to federate the customer login to several of our services via OpenID Connect.
It came to our attention that if a yet unauthenticated user opens several services at once in different windows/tabs of the same browser. Only the first authentication process attempted will succeed. Submission of a second still open login form will result in the display of the error message "Error: No message available".
In the first submission of the credentials the POST to /cas/login will send a redirect (302) to
/cas/oauth2.0/callbackAuthorize which in turn will redirect to
/cas/oidc/authorize which will finally redirect to the service.
In the second submission of the credentials the POST will also send a redirect to
/cas/oauth2.0/callbackAuthorize, which will use and invalidate the issued service ticket and send a redirect to
/cas/oauth2.0/callbackAuthorize again (NOT to
/cas/oidc/authorize). On the second call of
/cas/oauth2.0/callbackAuthorize the supplied ticket is already invalidated and gives rise to a org.apereo.cas.ticket.InvalidTicketException and in turn to the
"Error: No message available" error presented to the user.
I tried changing cas.authn.oauth.replicateSessions to true, which resulted in no change to the problem.
Any input would be greatly appreciated!
Thanks,
Marcus