OIDC Service Unauthorized

[Juan Fernando Rivera]

Hi, I'm having troubles accessing OIDC Services from the "/cas/login?service=" endpoint. Using the "/cas/oidc/authorize" there is no problem with the flow, but I want to understand why when using the "/cas/login?service" is not working.

Using "/cas/login?service=" with an CasRegisteredService there is no problem. When using an OidcRegisteredService it appears an error of "Service unauthorized" like there is not registered. BUT, if accessing the "/actuator/RegisteredServices" it appears.

In case that by design it's not possible, please answer that.

This is what I consider the relevant conf, if there is more needed, please answer that.

/cas/login?service=https://my.application.com/oidc

The application you attempted to authenticate to is not authorized to use CAS. This usually indicates that the application is not registered with CAS, or its authorization policy defined in its registration record prevents it from leveraging CAS functionality, or it's malformed and unrecognized by CAS. Contact your CAS administrator to learn how you might register and integrate your application with CAS.

CasService.json

{

    "@class" : "org.apereo.cas.services.CasRegisteredService",

    "serviceId" : "https://app.example.org",

    "name" : "ApplicationName",

    "id" : 1001

  }

OidcService.json

{

    "@class" : "org.apereo.cas.services.OidcRegisteredService",

    "clientId": "my-client-id",

    "clientSecret": "my-client-secret",

    "serviceId" : "https://my.application.com/oidc",

    "name": "OIDC",

    "description": "A sample OIDC client application",

    "id": 1002

  }

build.gradle

/**

     * CAS dependencies and modules may be listed here.

     *

     * There is no need to specify the version number for each dependency

     * since versions are all resolved and controlled by the dependency management

     * plugin via the CAS bom.

     **/

    implementation "org.apereo.cas:cas-server-support-rest"

    implementation "org.apereo.cas:cas-server-support-reports"

    implementation "org.apereo.cas:cas-server-support-json-service-registry"

    implementation "org.apereo.cas:cas-server-support-ldap"

    implementation "org.apereo.cas:cas-server-support-oidc"

cas.properties

# ------OIDC------

cas.authn.oidc.core.issuer=${cas.server.name}/oidc

#cas.authn.oidc.core.skew=PT5M

cas.authn.oidc.jwks.file-system.jwks-file=file:///etc/cas/config/keystore.jwks

/cas/actuator/registeredServices

{ "0": "java.util.ArrayList", "1": [ { "@class": "org.apereo.cas.services.CasRegisteredService", "serviceId": "https://app.example.org", "name": "ApplicationName", "id": 1001 }, { "@class": "org.apereo.cas.services.OidcRegisteredService", "serviceId": "https://my.application.com/oidc", "name": "OIDC", "id": 1002, "description": "A sample OIDC client application", "clientSecret": "my-client-secret", "clientId": "my-client-id" } ] }

Thanks in advance.

[Ray Bon]

Juan,

OIDC reaches cas at a different endpoint.

I use 

cas/oidc/oidcAuthorize?scope=...

Ray

On Mon, 2024-08-26 at 18:57 -0700, Juan Fernando Rivera wrote:

You don't often get email from eljua...@gmail.com. Learn why this is important