Hi, I'm hoping my usage is pretty common & someone has already made this scenario work properly.
My objective is to use the bujio-pac4j-demo-master (3.2.0-SNAPSHOT) project as a starting point as a CAS client, having CAS delegate via the pac4j webflow support, eventually I want to make use of the SSO, ticket management in CAS 5.2.x (5.2.2 currently).
The intended webflow: demo app (buji-pac4j-demo-master) security filter redirects to CAS via the buji-pac4j CasClient.loginUrl=
https://localhost:8443/cas/login which will redirect to Google
I've got the buji-pac4j-demo-master configured so I can test using jetty (using https on port 8449).
my CAS 5.2.2 server is listening for incoming https connections on port 8443.
So, my understanding is that CAS will not bother with the CAS generated login page, but (autoRedirect==true) will just redirect the login request to the 1 configured delegated IDP.
This works as I expect, I get the usual Google login page, I authenticate & I get redirected but only back to the CAS login page.
BUT, while it looks as though CAS is processing the redirect from Google [see below log msgs involving org.pac4j.oidc.credentials.extractor.OidcExtractor], no sign that it is responding to the application's request - lots of gory details below gives me reason to suspect that. First is the response code of 200 on the redirect for CAS to process Google's response.
So my embarrassingly large post boils down to: What am I missing to get CAS to finish the webflow by returning the response with the authenticated credentials back the initial requesting app, the pac4j demo's SecurityFilter? Any chance it's related to the below response header showing for a Set-Cookie field with the following: Secure; HttpOnly ?
Thank you for any insights.
-steve
my cas.properties contains the following cas.authn.pac4j.* settings.
cas.authn.pac4j.autoRedirect=true
cas.authn.pac4j.oidc[0].secret=****my-secret****
cas.authn.pac4j.oidc[0].type=GOOGLE
cas.authn.pac4j.oidc[0].scope=openid profile
cas.authn.pac4j.oidc[0].clientName=GoogleOIDC
So the following is working:
Server: Jetty(9.3.8.v20160314)
response header also has Set-Cookie: JSESSIONID=79B39C7E5E5693B5BF61884B52E09FCD; Path=/cas; Secure; HttpOnly
This results in the CAS instance redirecting via 302 response the following request URL (same as response location above):
I get the Google login page, enter my credentials and the generated response is a 302 redirect
state value matches the value provided in above CAS (pac4j oidc code) redirect - good.
The redirect response has a status code: 200. request cookie has TGC key, SESSIONID=79B39C7E5E5693B5BF61884B52E09FCD; JSESSIONID=sghbip4bak977llku5mld199
So the cas_audit.log has: (time matches Chrome's display of the request/response details)
WHO: null
WHAT: Supplied credentials: [org.apereo.cas.authentication.principal.ClientCredential@365bbddf[id=<null>]]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Tue Apr 17 10:28:23 EDT 2018BUJI PAC4J DEMO 10:28:22.604 [qtp761229698-11] DEBUG i.b.pac4j.engine.ShiroSecurityLogic - Starting authentication
CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1
SERVER IP ADDRESS: 0:0:0:0:0:0:0:1
in the cas.log:
2018-04-17 10:28:22,773 DEBUG [org.apereo.cas.web.flow.InitialFlowSetupAction] - <Warning cookie path is set to [null] and path [/cas/]>
2018-04-17 10:28:22,774 DEBUG [org.apereo.cas.web.flow.InitialFlowSetupAction] - <TGC cookie path is set to [null] and path [/cas/]>
2018-04-17 10:28:22,774 DEBUG [org.apereo.cas.web.support.CookieRetrievingCookieGenerator] - <null>
java.lang.NullPointerException: null
at org.apereo.cas.web.support.DefaultCasCookieValueManager.obtainCookieValue(DefaultCasCookieValueManager.java:62) ~[cas-server-support-cookie-5.2.3.jar!/:5.2.3]
[... stack dump deleted]
2018-04-17 10:28:22,776 DEBUG [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] - <clientName: [null]>
2018-04-17 10:28:22,776 DEBUG [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] - <clientName: [null]>
onse_type=code&client_id=****myclientID*****.
apps.googleusercontent.com&redirect_uri=https%3A%2F%2Flocalhost%3A8443%2Fcas%2Flogin%3Fclie
nt_name%3DGoogleOIDC&scope=openid+profile&state=jLX6iCY6siWaOmH7VtwjuzpROtM3k_HL8K70LidaZAw>
2018-04-17 10:28:22,777 DEBUG [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationActiorg.pac4j.oidc.credentials.extractor.OidcExtractoron] - <cssClass for GoogleOIDC is fa fa-lock GoogleOIDC >
2018-04-17 10:28:22,973 DEBUG [org.apereo.cas.web.support.CookieRetrievingCookieGenerator] - <null>
java.lang.NullPointerException: null
at org.apereo.cas.web.support.DefaultCasCookieValueManager.obtainCookieValue(DefaultCasCookieValueManager.java:62) ~[cas-server-support-cookie-5.2.3.jar!/:5.2.3]
[... stack dump deleted]
2018-04-17 10:28:22,983 DEBUG [org.apereo.cas.authentication.principal.WebApplicationServiceFactory] - <No service is specified in the request. Skipping service creation>
2018-04-17 10:28:22,986 DEBUG [org.apereo.cas.web.support.DefaultArgumentExtractor] - <No service could be extracted based on the given request>
2018-04-17 10:28:22,986 DEBUG [org.apereo.cas.web.support.AbstractArgumentExtractor] - <Extractor did not generate service.>
2018-04-17 10:28:22,990 DEBUG [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] - <clientName: [GoogleOIDC]>
2018-04-17 10:28:22,990 DEBUG [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] - <Client: [#GoogleOidcClient# | name: GoogleOIDC | callbackUrl:
https://localhost:8443/cas/login?client_name=GoogleOIDC | urlResolver: org.pac4j.core.http.DefaultUrlResolver@1e0cd3ba | ajaxRequestResolver: org.pac4j.core.http.DefaultAjaxRequestResolver@10319bc1 | redirectActionBuilder: #OidcRedirectActionBuilder# | configuration: #OidcConfiguration# | clientId: ****myClientID*****.
apps.googleusercontent.com | secret: [protected] | discoveryURI:
https://accounts.google.com/.well-known/openid-configuration | scope: openid profile | customParams: {} | clientAuthenticationMethod: null | useNonce: false | preferredJwsAlgorithm: null | maxClockSkew: 0 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@63e21f95 | callbackUrl:
https://localhost:8443/cas/login?client_name=GoogleOIDC | responseType: null | responseMode: null | logoutUrl: null | | | credentialsExtractor: #OidcExtractor# | configuration: #OidcConfiguration# | clientId: ****myClientID*****.
apps.googleusercontent.com | secret: [protected] | discoveryURI:
https://accounts.google.com/.well-known/openid-configuration | scope: openid profile | customParams: {} | clientAuthenticationMethod: null | uorg.pac4j.oidc.credentials.extractor.OidcExtractorseNonce: false | preferredJwsAlgorithm: null | maxClockSkew: 0 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@63e21f95 | callbackUrl:
https://localhost:8443/cas/login?client_name=GoogleOIDC | responseType: null | responseMode: null | logoutUrl: null | | clientName: GoogleOIDC | | authenticator: #OidcAuthenticator# | configuration: #OidcConfiguration# | clientId: ****myClientID*****.
apps.googleusercontent.com | secret: [protected] | discoveryURI:
https://accounts.google.com/.well-known/openid-configuration | scope: openid profile | customParams: {} | clientAuthenticationMethod: null | useNonce: false | preferredJwsAlgorithm: null | maxClockSkew: 0 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@63e21f95 | callbackUrl:
https://localhost:8443/cas/login?client_name=GoogleOIDC | responseType: null | responseMode: null | logoutUrl: null | | clientAuthentication: com.nimbusds.oauth2.sdk.auth.ClientSecretPost@60d65eb5 | | profileCreator: #OidcProfileCreator# | configuration: #OidcConfiguration# | clientId: ****myClientID*****.
apps.googleusercontent.com | secret: [protected] | discoveryURI:
https://accounts.google.com/.well-known/openid-configuration | scope: openid profile | customParams: {} | clientAuthenticationMethod: null | useNonce: false | preferredJwsAlgorithm: null | maxClockSkew: 0 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@63e21f95 | callbackUrl:
https://localhost:8443/cas/login?client_name=GoogleOIDC | responseType: null | responseMode: null | logoutUrl: null | | | logoutActionBuilder: org.pac4j.core.logout.GoogleLogoutActionBuilder@62ab27eb | configuration: #OidcConfiguration# |:
2018-04-17 10:28:22,991 DEBUG [org.pac4j.oidc.credentials.extractor.OidcExtractor] - <Authentication response successful>
2018-04-17 10:28:23,188 DEBUG [org.pac4j.oidc.credentials.authenticator.OidcAuthenticator] - <Token response: status=200, content={
"access_token": "ya29.GlygBV8fhxUWJ1VFv9n7_WdEpxsGAe-govM6B8eIkqlig3SheZdFj-8k2JQetxaNpnCsiqzuxVe5myRRHP0Kws4MGadlrhB2yO7vzV7jkmO2uWFQH5FKzQ2YWt6YnA",
"token_type": "Bearer",
"expires_in": 3599,
"id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjU0MjViYjg0NjE2ZWJmOTczYWU4MGJjNjJhYzY4OGQyYTcyNzE1YWQifQ.eyJhenAiOiIxMDU4NTQ3ODc5OTctNXZsM2dtdWo4b2ptYWNraXE4NnJldHJlN2JiNXF1b3EuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiIxMDU4NTQ3ODc5OTctNXZsM2dtdWo4b2ptYWNraXE4NnJldHJlN2JiNXF1b3EuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMTQ3NTYwNzQ2MTA0NjY3NTE5MDAiLCJhdF9oYXNoIjoiNzBxNGU5ejZmY1FKWG1mSjRVajdHQSIsImV4cCI6MTUyMzk3ODkwMywiaXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tIiwiaWF0IjoxNTIzOTc1MzAzLCJuYW1lIjoiU3RldmUgSGVzcGVsdCIsInBpY3R1cmUiOiJodHRwczovL2xoMy5nb29nbGV1c2VyY29udGVudC5jb20vLVFydzN5LVJ1cWwwL0FBQUFBQUFBQUFJL0FBQUFBQUFBQUFBL0FDTEd5V0FpWll1S0E3NVZTQ1JiUWdSdFgwakNCRU9DckEvczk2LWMvcGhvdG8uanBnIiwiZ2l2ZW5fbmFtZSI6IlN0ZXZlIiwiZmFtaWx5X25hbWUiOiJIZXNwZWx0IiwibG9jYWxlIjoiZW4ifQ.BF3PSAdB76QDiMFCAATermVenFYt_qXcTNQiZyf4xct1L5hClWuPPs2YQK1PDGJk4_Vg7mkZEjSSAIwqAhzH8qn5p62PpuxDNYkvjhtQXUZhQWnd0DdFUNwMGRR_La3sBMLj_X0-1tAyZ37Rib2hmTz7fa-pJjsiDQfbYmbX8LCSXNdnPy8madHjdzGXvTbGvsSQBulNEvBUOr83yD7TEmhLO49vpZK7hlX3Cg8eqDY0DwIZ0TuZ6yZsuQCrjS6MPFwDnJRztMj-w_KnwBeYlv2tpOBd5MGai-fr0FBy5PiMcQp_8xR0IyHpagp7onyh1n0o-JZEOmRdHLbffCFQcQ"
2018-04-17 10:28:23,189 DEBUG [org.pac4j.oidc.credentials.authenticator.OidcAuthenticator] - <Token response successful>
2018-04-17 10:28:23,189 DEBUG [org.pac4j.oidc.client.GoogleOidcClient] - <Credentials validation took: 198 ms>
2018-04-17 10:28:23,189 DEBUG [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] - <Retrieved credentials: [#OidcCredentials# | code: 4/AAA9qlRlbkuWmFzJO1nvr23LnRf4HVoMu9eqJeQ-nzq922D375okGqD52Dv_haMQIYAkV5ikouz3NAtLbJg2csA | clientName: GoogleOIDC | accessToken: ya29.GlygBV8fhxUWJ1VFv9n7_WdEpxsGAe-govM6B8eIkqlig3SheZdFj-8k2JQetxaNpnCsiqzuxVe5myRRHP0Kws4MGadlrhB2yO7vzV7jkmO2uWFQH5FKzQ2YWt6YnA | refreshToken: null | idToken: com.nimbusds.jwt.SignedJWT@6dcc4216 |]>
2018-04-17 10:28:23,190 WARN [org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] - <Service [null] is not allowed to use SSO.>
2018-04-17 10:28:23,191 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
2018-04-17 10:28:24,137 DEBUG [org.apereo.cas.web.support.CookieRetrievingCookieGenerator] - <null>
java.lang.NullPointerException: null
at org.apereo.cas.web.support.DefaultCasCookieValueManager.obtainCookieValue(DefaultCasCookieValueManager.java:62) ~[cas-server-support-cookie-5.2.3.jar!/:5.2.3]
nothing further to indicate that CAS is responding to the initial request with the authentication info.
from the buji-pac4j-demo-master log:
BUJI PAC4J DEMO 10:28:22.603 [qtp761229698-11] DEBUG i.b.pac4j.engine.ShiroSecurityLogic - === SECURITY ===
BUJI PAC4J DEMO 10:28:22.603 [qtp761229698-11] DEBUG i.b.pac4j.engine.ShiroSecurityLogic - matchers: null
BUJI PAC4J DEMO 10:28:22.603 [qtp761229698-11] DEBUG i.b.pac4j.engine.ShiroSecurityLogic - clients: CasClient
BUJI PAC4J DEMO 10:28:22.603 [qtp761229698-11] DEBUG i.b.pac4j.engine.ShiroSecurityLogic - currentClients: [#CasClient# | name: CasClient | callbackUrl:
https://localhost:8449/callback?client_name=CasClient | urlResolver: org.pac4j.core.http.DefaultUrlResolver@22fcc3fc | ajaxRequestResolver: org.pac4j.core.http.DefaultAjaxRequestResolver@75f46400 | redirectActionBuilder: org.pac4j.cas.redirect.CasRedirectActionBuilder@61d03c5 | credentialsExtractor: org.pac4j.cas.credentials.extractor.TicketAndLogoutRequestExtractor@1d86c6cf | authenticator: org.pac4j.cas.credentials.authenticator.CasAuthenticator@5aba8cdb | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@7c5323ec | logoutActionBuilder: #CasLogoutActionBuilder# | serverLogoutUrl:
https://localhost:8443/cas/logout | postLogoutUrlParameter: service | | configuration: #CasConfiguration# | loginUrl:
https://localhost:8443/cas/login | prefixUrl:
https://localhost:8443/cas/ | restUrl:
https://localhost:8443/cas/v1/tickets | protocol: CAS30 | renew: false | gateway: false | encoding: UTF-8 | logoutHandler: #ShiroCasLogoutHandler# | store: #GuavaStore# | size: 10000 | timeout: 30 | timeUnit: MINUTES | | destroySession: false | | acceptAnyProxy: false | allowedProxyChains: [] | proxyReceptor: null | timeTolerance: 1000 | postLogoutUrlParameter: service | defaultTicketValidator: null | urlResolver: org.pac4j.core.http.DefaultUrlResolver@22fcc3fc | |]
BUJI PAC4J DEMO 10:28:22.604 [qtp761229698-11] DEBUG i.b.pac4j.engine.ShiroSecurityLogic - loadProfilesFromSession: true
BUJI PAC4J DEMO 10:28:22.604 [qtp761229698-11] DEBUG i.b.pac4j.engine.ShiroSecurityLogic - profiles: []
BUJI PAC4J DEMO 10:28:22.604 [qtp761229698-11] DEBUG i.b.pac4j.engine.ShiroSecurityLogic - Starting authentication
that's it. no response processing log msgs,