CAS 6.2.1: InvalidTicketException after Login with OIDC
60 views
Skip to first unread message
Frederik B.
Sep 14, 2020, 8:16:59 AM9/14/20
to CAS Community
We use CAS as an OIDC Provider for our service. After upgrading from 6.0 to 6.2 we received reports from some of our users that they weren't able to login anymore but were presented an error page with a org.apereo.cas.ticket.InvalidTicketException.
We found that the users reporting the problem use a bookmark of the CAS Login URL https://www.example.com/cas/login?service=https%3A%2F%2Fwww.example.com%2Fcas%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3D123%26redirect_uri%3Dhttps%253A%252F%252Fwww.example.com%252Fmyservice%252Flogin%252Foauth2%252Fcode%252Fcas-oidc%26response_type%3Dcode%26client_name%3DCasOAuthClient to reach our service. This causes the OAuth20CallbackAuthorizeEndpointController to redirect the request to the default value 'context.getFullRequestURL()' because the actual service URL was not previously stored by the SavedRequestHandler. Since context.getFullRequestURL() returns '/oauth2.0/callbackAuthorize' with the current Service Ticket as URL parameter, the redirect results in an InvalidTicketException because the Service Ticket was already consumed by the previous request.
In CAS 6.0 bookmarking /cas/login worked for us because the default behavior was a redirect to '/' which is configured to redirect to our service on our side.
I understand, that redirecting to '/' may not be generally useful behavior but the current default of 'context.getFullRequestURL()' seems worse, since it immediately fails. Wouldn't the 'cas.view.default-redirect-url' (if set) or 'cas/login' be better defaults?
We found that the users reporting the problem use a bookmark of the CAS Login URL https://www.example.com/cas/login?service=https%3A%2F%2Fwww.example.com%2Fcas%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3D123%26redirect_uri%3Dhttps%253A%252F%252Fwww.example.com%252Fmyservice%252Flogin%252Foauth2%252Fcode%252Fcas-oidc%26response_type%3Dcode%26client_name%3DCasOAuthClient to reach our service. This causes the OAuth20CallbackAuthorizeEndpointController to redirect the request to the default value 'context.getFullRequestURL()' because the actual service URL was not previously stored by the SavedRequestHandler. Since context.getFullRequestURL() returns '/oauth2.0/callbackAuthorize' with the current Service Ticket as URL parameter, the redirect results in an InvalidTicketException because the Service Ticket was already consumed by the previous request.
In CAS 6.0 bookmarking /cas/login worked for us because the default behavior was a redirect to '/' which is configured to redirect to our service on our side.
I understand, that redirecting to '/' may not be generally useful behavior but the current default of 'context.getFullRequestURL()' seems worse, since it immediately fails. Wouldn't the 'cas.view.default-redirect-url' (if set) or 'cas/login' be better defaults?
Ray Bon
Sep 14, 2020, 11:44:55 AM9/14/20
to cas-...@apereo.org
Frederik,
This sounds like something that could be fixed with user education. Why would a user bookmark a log in page?
cas.view.default-redirect-url will only be triggered if no service is provided.
Ray
On Mon, 2020-09-14 at 05:16 -0700, 'Frederik B.' via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.
Frederik B.
Sep 16, 2020, 11:38:10 AM9/16/20
to CAS Community, Ray Bon
Hi Ray,
they bookmark the login page because they are directly redirected there when they call our service. I assume that most users don't notice that they were redirected to a different server to log in.
I'd prefer to improve the way CAS handles this situation so that it doesn't result in an Exception shown the user.
In our case, using cas.view.default-redirect-url as default in OAuth20CallbackAuthorizeEndpointController seems to be a reasonable solution. But maybe there is a better approach that I'm missing.
Frederik
they bookmark the login page because they are directly redirected there when they call our service. I assume that most users don't notice that they were redirected to a different server to log in.
I'd prefer to improve the way CAS handles this situation so that it doesn't result in an Exception shown the user.
In our case, using cas.view.default-redirect-url as default in OAuth20CallbackAuthorizeEndpointController seems to be a reasonable solution. But maybe there is a better approach that I'm missing.
Frederik
Reply all
Reply to author
Forward
0 new messages