6.6.5.1 upgrade to 7.0 - OIDC no longer working

[Alcides Moraes]

Hello all

I have a very stable CAS 6.6.15.1 running on rancher2/kubernetes, with Hazelcast ticket registry and Kubernetes discovery.

When upgrading to 7.0.7, apart from the usual pom version updates and a few adjustments to my custom theme, everything seemed to work.

However, OIDC clients cannot authenticate anymore. They either get into infinite 302 loops "Too Many Redirects" or they error out on their end. With absolute no warning/errors on CAS logs.

There's absolute zero code customizations, all libraries are coming from CAS itself.

I have tried updating to 7.1.0, going back to 7.0.0, removing my custom theme, nothing fixes it

Any help on how to debug this is appreciated

[Alcides Moraes]

I have configured the OIDC Sample app for debugging this. (https://github.com/apereo/oidc-sample-java-webapp)

It is working against my 6.6.15 installation with 2 instances.

When upgrading to 7.0.0, it goes into Too Many Redirects Loop, and then CAS shows this error page:

CAS is unable to process this request: "500:Internal Server Error"
There was an error trying .... etc etc
Error: INVALID_TICKET

I deployed it again with only one instance thinking it could be some session replication / hazelcast issue.

But it still behaves the same.

[Alcides Moraes]

I managed to resolve this.

My issue was that there was a principalAttribute that was too large, and then the ID token was becoming too big and not being set.

I turned off the include-id-token-claims property and this fixed the issue..

I wished there was some warning in the logs about the ID token being too big, there was nothing.

[Daniel Maldonado]

Which settings did you adjust?

> --
> - Website: https://apereo.github.io/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/3b34b721-e5c0-46cd-814e-ff1237e535abn%40apereo.org.

[Alcides Moraes]

At first, I just removed the attribute ‘memberOf’ from my LDAP auth principalAttributeList just to check. 

This already made it work.

Then I learned about the cas.authn.oidc.id-token.include-id-token-claims property.

Here: https://apereo.github.io/cas/7.1.x/authentication/OIDC-Authentication-TokenExpirationPolicy.html#id-tokens

It’s true by default and forces CAS to add all principalAttributes to the idToken, which is not the correct behavior by OIDC standards.

I turned it to false and now the id token is clean, with only the default attributes.

I was then able to add memberOf to principalAttributeList again.

Finally I moved memberOf from principalAttributeList to additionalAttributes, this would have fixed it also I believe.

You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/kgqSwfdn_J8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/DD2C1DF9-0425-46C2-B041-CF3F9566E3EB%40epc-instore.com.