Azure AD Delegated login, issue with DISSESSION cookie during logout
99 views
Skip to first unread message
Pablo Vidaurri
Jan 10, 2024, 11:28:32 PM1/10/24
to CAS Community
CAS 6.6.8
1) Two TGC cookies are being created, the 2nd with an empty value. This is causing the TGC not being available and my session is not being created. actuator/sso even returns back a 400. To get around this I commented a line of code from InitialFlowSetupAction.java. That seems to get around this issue but I'm not certain if I'm causing other issues.
2) I see a DISSESSION cookie being created at login. I don't recall seeing this cookie before enabling delegated login to Azure AD. The problem that I'm seeing with this is that I get a 500 error when logging out.
2024-01-08 15:29:13,937 ERROR [org.springframework.boot.web.servlet.support.ErrorPageFilter] (default task-454) Forwarding to error page from request [/logout]
due to exception [Exception thrown executing org.apereo.cas.web.flow.actions.DelegatedAuthenticationClientLogoutAction@4120bab in state 'terminateSession' of flow 'logout'
-- action execution attributes were 'map[[empty]]']: org.springframework.webflow.execution.ActionExecutionException:
Exception thrown executing org.apereo.cas.web.flow.actions.DelegatedAuthenticationClientLogoutAction@4120bab in state 'terminateSession' of
flow 'logout' -- action execution attributes were 'map[[empty]]'
.
.
.
Caused by: java.lang.ClassCastException: class java.lang.String cannot be cast to class org.pac4j.core.profile.UserProfile (java.lang.String is in module java.base of loader 'bootstrap';
org.pac4j.core.profile.UserProfile is in unnamed module of loader 'deployment.cas.war' @512a9b9)
at deployment.cas.war//org.pac4j.core.profile.ProfileManager.removeOrRenewExpiredProfiles(ProfileManager.java:98)
at deployment.cas.war//org.pac4j.core.profile.ProfileManager.retrieveAll(ProfileManager.java:89)
at deployment.cas.war//org.pac4j.core.profile.ProfileManager.getProfile(ProfileManager.java:50)
due to exception [Exception thrown executing org.apereo.cas.web.flow.actions.DelegatedAuthenticationClientLogoutAction@4120bab in state 'terminateSession' of flow 'logout'
-- action execution attributes were 'map[[empty]]']: org.springframework.webflow.execution.ActionExecutionException:
Exception thrown executing org.apereo.cas.web.flow.actions.DelegatedAuthenticationClientLogoutAction@4120bab in state 'terminateSession' of
flow 'logout' -- action execution attributes were 'map[[empty]]'
.
.
.
Caused by: java.lang.ClassCastException: class java.lang.String cannot be cast to class org.pac4j.core.profile.UserProfile (java.lang.String is in module java.base of loader 'bootstrap';
org.pac4j.core.profile.UserProfile is in unnamed module of loader 'deployment.cas.war' @512a9b9)
at deployment.cas.war//org.pac4j.core.profile.ProfileManager.removeOrRenewExpiredProfiles(ProfileManager.java:98)
at deployment.cas.war//org.pac4j.core.profile.ProfileManager.retrieveAll(ProfileManager.java:89)
at deployment.cas.war//org.pac4j.core.profile.ProfileManager.getProfile(ProfileManager.java:50)
If I manually delete the cookie after login, I see my session is still active, actuator/sso returns 200 with session info, and logout is not an issue.
-psv
Pablo Vidaurri
Apr 17, 2024, 8:43:51 PM4/17/24
to CAS Community, Pablo Vidaurri
back to debugging this issue:
2024-01-08 15:29:13,937 ERROR [org.springframework.boot.web.servlet.support.ErrorPageFilter] (default task-454) Forwarding to error page from request [/logout]
due to exception [Exception thrown executing org.apereo.cas.web.flow.actions.DelegatedAuthenticationClientLogoutAction@4120bab in state 'terminateSession' of flow 'logout'
-- action execution attributes were 'map[[empty]]']: org.springframework.webflow.execution.ActionExecutionException:
Exception thrown executing org.apereo.cas.web.flow.actions.DelegatedAuthenticationClientLogoutAction@4120bab in state 'terminateSession' of
flow 'logout' -- action execution attributes were 'map[[empty]]'
.
.
.
Caused by: java.lang.ClassCastException: class java.lang.String cannot be cast to class org.pac4j.core.profile.UserProfile (java.lang.String is in module java.base of loader 'bootstrap';
org.pac4j.core.profile.UserProfile is in unnamed module of loader 'deployment.cas.war' @512a9b9)
at deployment.cas.war//org.pac4j.core.profile.ProfileManager.removeOrRenewExpiredProfiles(ProfileManager.java:98)
at deployment.cas.war//org.pac4j.core.profile.ProfileManager.retrieveAll(ProfileManager.java:89)
at deployment.cas.war//org.pac4j.core.profile.ProfileManager.getProfile(ProfileManager.java:50)
due to exception [Exception thrown executing org.apereo.cas.web.flow.actions.DelegatedAuthenticationClientLogoutAction@4120bab in state 'terminateSession' of flow 'logout'
-- action execution attributes were 'map[[empty]]']: org.springframework.webflow.execution.ActionExecutionException:
Exception thrown executing org.apereo.cas.web.flow.actions.DelegatedAuthenticationClientLogoutAction@4120bab in state 'terminateSession' of
flow 'logout' -- action execution attributes were 'map[[empty]]'
.
.
.
Caused by: java.lang.ClassCastException: class java.lang.String cannot be cast to class org.pac4j.core.profile.UserProfile (java.lang.String is in module java.base of loader 'bootstrap';
org.pac4j.core.profile.UserProfile is in unnamed module of loader 'deployment.cas.war' @512a9b9)
at deployment.cas.war//org.pac4j.core.profile.ProfileManager.removeOrRenewExpiredProfiles(ProfileManager.java:98)
at deployment.cas.war//org.pac4j.core.profile.ProfileManager.retrieveAll(ProfileManager.java:89)
at deployment.cas.war//org.pac4j.core.profile.ProfileManager.getProfile(ProfileManager.java:50)
Looks like pac4j v5.4.6 is at use,
Adding debug statements to ProfileManager class, the offending line 98 is
final var profile = entry.getValue();
Added debug statements, looks like value which should be the profile object looks like an encrypted value instead.
key=AzureAdClient
value=rO0ABXNyAC1vcmcucGFjNGoub2lkYy5wcm9maWxlLmF6dXJlYWQuQXp1cmVBZFByb2ZpbGWH1PK86L/yagwAAHhyACJvcmcucGFjNGoub2lkYy5wcm9maWxlLk9pZGNQcm9maWxl/0Q3wiOQlNoMAAB4cgAtb3JnLnBhYzRqLmNvcmUucHJvZmlsZS5qd3QuQWJzdHJhY3RKd3RQcm9maWxlqrHrwjxwWTkMAAB4cgAkb3JnLnBhYzRqLmNvcmUucHJvZmlsZS5Db21tb25Qcm9maWxl5j2Ybq91JMsMAAB4cgAnb3JnLnBhYzRqLmNvcmUucHJvZmlsZS5CYXNpY1VzZXJQcm9maWxlfS3iU+YsltIMAAB4cHQAK3g5cDJBYmZkdHZISm5mTExLTk9EeC1hZV9ERUhEWmg2azB1b3ZTN2FNbzRzcgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAYdwgAAAAgAAAAGHQAA3ZlcnQAAzEuMHQAA2Fpb3QATEFUUUF5LzhXQUFBQWtiYnIvMHNEYWhVZ1o3SjkxanIxbE9XcjVhckRXMkE4MHJIVWc0dkRYZ2lZMkNhUkE0VlVSTnNVKzNuMk85cTR0AAZXQklfSUR0AAhueGEwODU3MnQAA2FtcnNyABNqYXZhLnV0aWwuQXJyYXlMaXN0eIHSHZnHYZ0DAAFJAARzaXpleHAAAAABdwQAAAABdAADcHdkeHQACGlkX3Rva2VudAYkZXlKMGVYQWlPaUpLVjFRaUxDSmhiR2NpT2lKU1V6STFOaUlzSW5nMWRDSTZJbkV0TWpObVlXeGxkbHBvYUVRemFHMDVRMUZpYTFBMVRWRjVWU0lzSW10cFpDSTZJbkV0TWpObVlXeGxkbHBvYUVRemFHMDVRMUZpYTFBMVRWRjVWU0o5LmV5SmhkV1FpT2lKaU4yVXhZbUZqTWkwNVl6UTNMVFF3TjJFdE9EQmpOUzA0TVdZMFlUZGtOakJqT0dZaUxDSnBjM01pT2lKb2RIUndjem92TDNOMGN5NTNhVzVrYjNkekxtNWxkQzgyT0RabFlURmtNeTFpWXpKaUxUUmpObVl0WVRreVl5MWtPVGxqTldNek1ERTJNelV2SWl3aWFXRjBJam94TnpFek16a3hNalV4TENKdVltWWlPakUzTVRNek9URXlOVEVzSW1WNGNDSTZNVGN4TXpNNU5URTFNU3dpWVdsdklqb2lRVlJSUVhrdk9GZEJRVUZCYTJKaWNpOHdjMFJoYUZWbldqZEtPVEZxY2pGc1QxZHlOV0Z5UkZjeVFUZ3dja2hWWnpSMlJGaG5hVmt5UTJGU1FUUldWVkpPYzFVck0yNHlUemx4TkNJc0ltRnRjaUk2V3lKd2QyUWlYU3dpWm1GdGFXeDVYMjVoYldVaU9pSlFZV1JwYkd4aElpd2laMmwyWlc1ZmJtRnRaU0k2SWtwMVlXNGlMQ0pwYmw5amIzSndJam9pZEhKMVpTSXNJbWx3WVdSa2NpSTZJalF1TlRZdU1TNHlORFlpTENKdVlXMWxJam9pU25WaGJpQlFZV1JwYkd4aElpd2libTl1WTJVaU9pSlVObGxSZFhWUVpIaFZkRWczZVZORlowMWFabFZzWnpCcVUwMDVNR2RoYkVsTlZsSTNZWFZYY0Roeklpd2liMmxrSWpvaU1tWXlaR1ZoT1RRdE1EVmpOaTAwWldNeExXSm1aRGd0TjJVNU9XVTFNRGRqWW1RMklpd2liMjV3Y21WdFgzTnBaQ0k2SWxNdE1TMDFMVEl4TFRFNU1UVXlNRGN3TVRNdE1qWXhOVEEwTURNMk9DMHpNRGMyT1RJNU5EVTRMVFl4T0RFeE15SXNJbkpvSWpvaU1DNUJVVWxCTURaR2RXRkRkVGhpTUhsd1RFNXRZMWhFUVZkT1kwczJOR0prU0c1SWNFRm5UVmRDT1V0bVYwUkpPRU5CUW5NdUlpd2ljM1ZpSWpvaWVEbHdNa0ZpWm1SMGRraEtibVpNVEV0T1QwUjRMV0ZsWDBSRlNFUmFhRFpyTUhWdmRsTTNZVTF2TkNJc0luUnBaQ0k2SWpZNE5tVmhNV1F6TFdKak1tSXROR00yWmkxaE9USmpMV1E1T1dNMVl6TXdNVFl6TlNJc0luVnVhWEYxWlY5dVlXMWxJam9pYW5WaGJpNXdZV1JwYkd4aFFHNTRjQzVqYjIwaUxDSjFjRzRpT2lKcWRXRnVMbkJoWkdsc2JHRkFibmh3TG1OdmJTSXNJblYwYVNJNklrMVBRWE4yUVdSZlJtdDFSMk5wT1VWM1FrVjNRVUVpTENKMlpYSWlPaUl4TGpBaUxDSlhRa2xmU1VRaU9pSnVlR0V3T0RVM01pSjkubjNfd1lYVjk4ckRjSDlsZnc1aHVsaXJGV1JCZEpDNHpuS1Uwd1dyWkVCWHdqYnRRTkxNWnhNZHEyRDg5VTVfSTZfMTg2TXRibkp2WW8td0lrVGhKZ1JPT1lkc2tLMW9FZlR4SkR2MU5RSHAwUDZnX01Va3hSd0p2V0NEdmp2akY0azVmd3UtajcxbHJpcENZdW94WnlTMmhZY2NuRmtxY3NERlpUcnktSW45MldLMXRqUENuWW5Wajhqck1VZW1zaXRrVXhWWmFWby15VzFXSlFTem5Wcm9nTTNScVBNUW1FQnhvMi04aHdRNjZjLTdGdG80LVJuY2kydno3WGdBQ0hUMXp0bG9UOW12ZDFZaEozMC1PeHRhbHlaa2s0RzNLZ0dEZ2diR0xNWnU4YVpHdFpjVmVwVmNqMnNDbm9uLXprUWo3YW5QUk5mRDByUm1xRWU5VXhRdAADaXNzdAA9aHR0cHM6Ly9zdHMud2luZG93cy5uZXQvNjg2ZWExZDMtYmMyYi00YzZmLWE5MmMtZDk5YzVjMzAxNjM1L3QAB2luX2NvcnB0AAR0cnVldAAKb25wcmVtX3NpZHQAMFMtMS01LTIxLTE5MTUyMDcwMTMtMjYxNTA0MDM2OC0zMDc2OTI5NDU4LTYxODExM3QAA29pZHQAJDJmMmRlYTk0LTA1YzYtNGVjMS1iZmQ4LTdlOTllNTA3Y2JkNnQAA3V0aXQAFk1PQXN2QWRfRmt1R2NpOUV3QkV3QUF0AApnaXZlbl9uYW1ldAAESnVhbnQABW5vbmNldAArVDZZUXV1UGR4VXRIN3lTRWdNWmZVbGcwalNNOTBnYWxJTVZSN2F1V3A4c3QAA3RpZHQAJDY4NmVhMWQzLWJjMmItNGM2Zi1hOTJjLWQ5OWM1YzMwMTYzNXQAGHRva2VuX2V4cGlyYXRpb25fYWR2YW5jZXNyABFqYXZhLmxhbmcuSW50ZWdlchLioKT3gYc4AgABSQAFdmFsdWV4cgAQamF2YS5sYW5nLk51bWJlcoaslR0LlOCLAgAAeHAAAAAAdAADYXVkc3EAfgAQAAAAAXcEAAAAAXQAJGI3ZTFiYWMyLTljNDctNDA3YS04MGM1LTgxZjRhN2Q2MGM4Znh0AAt1bmlxdWVfbmFtZXQAFGp1YW4ucGFkaWxsYUBueHAuY29tdAADdXBudAAUanVhbi5wYWRpbGxhQG54cC5jb210AANuYmZzcgAOamF2YS51dGlsLkRhdGVoaoEBS1l0GQMAAHhwdwgAAAGO7hOuOHh0AAJyaHQANjAuQVFJQTA2RnVhQ3U4YjB5cExObWNYREFXTmNLNjRiZEhuSHBBZ01XQjlLZldESThDQUJzLnQABG5hbWV0AAxKdWFuIFBhZGlsbGF0AANleHBzcQB+ADF3CAAAAY7uTzCYeHQABmlwYWRkcnQACjQuNTYuMS4yNDZ0AANpYXRzcQB+ADF3CAAAAY7uE644eHQAC2ZhbWlseV9uYW1ldAAHUGFkaWxsYXhzcQB+AAc/QAAAAAAAAHcIAAAAEAAAAAB4dwEAc3IAEWphdmEudXRpbC5IYXNoU2V0ukSFlZa4tzQDAAB4cHcMAAAAED9AAAAAAAAAeHNxAH4AQHcMAAAAED9AAAAAAAAAeHQAEEF6dXJlQWRFbXBDbGllbnRweA==
Looking at debug statement for
2024-04-17 15:05:53,429 DEBUG [org.pac4j.core.profile.ProfileManager] (default task-1901) Saving profiles (session) ... I see values which look to be related to profile (azure ad user info).
Anyone dealt with this? Looks either to be a pac4j code issue or I'm missing a setting in my oidc config.
-psv
Reply all
Reply to author
Forward
0 new messages