"Ticket cannot be null" - CAS 5.2.0 using OAuth2 Authentication Code
495 views
Skip to first unread message
Diego Henrique Pagani
Dec 21, 2017, 11:57:24 AM12/21/17
to CAS Community
Hello,i'm trying to set up my application to log in CAS 5.2.0 using OAuth2 protocol. When I try to get the access token, CAS server returns 500 code to my application and have this stack in log:
2017-12-21 13:53:27,263 ERROR [org.springframework.boot.web.support.ErrorPageFilter] - <Forwarding to error page from request [/oauth2.0/accessToken] due to exception [ticket cannot be null]>
java.lang.RuntimeException: ticket cannot be null
at org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController.handleRequest(OAuth20AccessTokenEndpointController.java:120) ~[cas-server-support-oauth-5.2.0.jar:5.2.0]
at org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController$$FastClassBySpringCGLIB$$db180f28.invoke(<generated>) ~[cas-server-support-oauth-5.2.0.jar:5.2.0]
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) ~[spring-core-4.3.12.RELEASE.jar:4.3.12.RELEASE]
at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:738) ~[spring-aop-4.3.12.RELEASE.jar:4.3.12.RELEASE]
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157) ~[spring-aop-4.3.12.RELEASE.jar:4.3.12.RELEASE]
[...]I'm using maven War Overlay, registering services using json files, and authenticating by a txt file, just for testing.Here is my service json config:{
"@class": "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
"serviceId": "^http://.*",
"name": "application_name",
"id": 1000,
"clientId": 123,
"clientSecret": 123,
"jsonFormat" : false,
"bypassApprovalPrompt": true,
"generateRefreshToken": false,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
}My application.ymlserver:
ssl:
enabled: true
key-store: ./keystore.jks
key-store-password: password
key-password: password
key-alias: cascas:server:name: http://10.19.10.33:8081prefix: http://10.19.10.33:8081/casauthn:accept:users: nullfile:filename: classpath:whitelist.txtadminPagesSecurity:ip: 127.0.0.1
loginUrl: https://10.19.10.33:8443/cas/login
adminRoles: ROLE_ADMIN
users: classpath:/adminusers.properties
monitor:
endpoints:
enabled: true
sensitive: false
serviceRegistry:
yaml:
location: classpath:/services
tgc:
path: null
maxAge: -1
domain: localhost
name: TGC
secure: false
httpOnly: true
rememberMeMaxAge: 1209600
crypto:
encryption:
key: <hide>
signing:
key: <hide>
enabled: true
monitor:
st:
warn:
threshold: 10
evictionThreshold: 0
tgt:
warn:
threshold: 10
evictionThreshold: 0
spring:
config:
name: cfs-cas
management:
contextPath: /status
security:
enabled: true
roles: ADMIN
sessions: IF_REQUIRED
logging:
config: classpath:log4j2.xml
Is there something I'm missing?
Diego Henrique Pagani
Dec 21, 2017, 3:45:40 PM12/21/17
to CAS Community
Just to add, I tested with postman and received the same error and syntoms.
Sorry my bad english :)
Diego Henrique Pagani
Dec 26, 2017, 7:48:02 AM12/26/17
to CAS Community
Is there someone who have this kind of problem?
Em quinta-feira, 21 de dezembro de 2017 14:57:24 UTC-2, Diego Henrique Pagani escreveu:
Message has been deleted
Diego Henrique Pagani
Jan 3, 2018, 7:22:58 PM1/3/18
to CAS Community
Hello,
I have discovered what happened. There is something when you are using OAuth2 Authorization Code and the ticket of CAS. If you have an valid access_token but an invalid TGT, this synthoms appears and it should return an invalid access_token.
There is another problem using Oauth2 protocol: When you ask for access_token passing grant_type=authorization_code&client_id=ID
&client_secret=SECRET&code=CODE&redirect_uri=CALLBACK and then access /profile URL passing the access_token received, the ID returned are the name of the service, instead of the user id that authenticated before. If you send the same parameters, without the client_secret, it return another access_token and doing the same check at /profile URL, it returns the correct user id. I saw that something changed on version 5.3-RC, but I haven't checked if it already has been corrected.
Thanks
Sorry for bad english
Em quinta-feira, 21 de dezembro de 2017 14:57:24 UTC-2, Diego Henrique Pagani escreveu:
Matthias Gliwka
Jul 4, 2018, 5:43:27 AM7/4/18
to CAS Community
Hi Diego,
can you elaborate more about the TGT tickets? How did you get it to work? Having the exact same symptoms here (500 - ticket cannot be null while getting the access token).
Kind regards,
Matthias Gliwka
Diego Henrique Pagani
Jul 4, 2018, 8:51:00 AM7/4/18
to cas-...@apereo.org
Hi Mattias,
i did something that is not correct... When it happens, I redirect the user again to CAS and CAS, because the session in CAS of the user is valid, and CAS return to my application and everything is fine.
I have another issue using OAuth with CAS that I related in https://groups.google.com/a/apereo.org/forum/?utm_medium=email&utm_source=footer#!topic/cas-user/wFveOzgAe3U
After all of the problems, I decided to use CAS protocol in my application, using pac4j, when everything works fine.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/56e7181f-f1b7-457a-aaa5-d7196e58cd1f%40apereo.org.
Diego Henrique Pagani
Andy Ng
Jul 6, 2018, 10:01:04 AM7/6/18
to CAS Community
Hi Matthias,
CAS 5.2.0 OAuth is a bit weird imo, maybe try upgrading to 5.3.0,
CAS have done lots of fixes on OAuth on the 5.3.0 release, so maybe it will fix your problem.
Cheers!
- Andy
Reply all
Reply to author
Forward
0 new messages