Null pointer when using delegated auth and renew=true

[Mark van Rossum]

Hi,

I can't see an issue tracker on the CAS Github site, so I hope this is the correct place to raise a bug instead.  If there is a separate issue tracker somewhere please let me know.

We are replacing an old CAS implementation with 6.3.2, and the new one uses OAuth to delegate to Azure AD.

This works fine, except when an existing client has renew=true set.  

In this situation, the first request from the client works OK.  If I then logout from client session (but not CAS session) and then try to reauthenticate I get:

"Unauthorized Access

Either the authentication request was rejected/cancelled, or the authentication provider denied access due to permissions, etc. Review logs to find the root cause of the issue."

And the logs show a NullPointerException:

2021-03-25 21:53:43,121 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationTransactionManager] - <Transaction ignored since there are no credentials to authenticate>

2021-03-25 21:53:43,121 WARN [org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - <No authentication event has been recorded; CAS cannot finalize the authentication result>

2021-03-25 21:53:43,121 INFO [org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - <Authentication result cannot be produced because no authentication is recorded into in the chain. Returning null>

2021-03-25 21:53:43,124 ERROR [org.apereo.cas.web.flow.DelegatedClientAuthenticationAction] - <NullPointerException>

java.lang.NullPointerException: null

Has anyone else encountered this and/or know of a workaround?

I can push a fully worked example somewhere showing this bug if that is helpful?

Many thanks!

Mark van Rossum