cas/oidc/.well-known endpoint not working in 7.x

[Matthew Gordon]

Hello,

I have been working on deploying CAS 7.0.6, with OIDC support: https://apereo.github.io/cas/development/protocol/OIDC-Protocol.html

With the overlay method and these dependencies: core-events-configuration,support-ldap,support-git-service-registry,support-gauth,support-saml,support-saml-idp,support-oauth-webflow,support-oidc,support-redis-ticket-registry,support-surrogate-webflow,support-surrogate-authentication-rest,support-interrupt-webflow,support-throttle,support-trusted-mfa-redis

I added support-oauth-webflow even though I did not need it in 6.x, just in case.

Everything appears to build and run correctly with embedded tomcat, except for OIDC.

I am unable to access:

cas/oidc/.well-known

or

cas/oidc/jwks

I get this when accessing the jwks endpoint:

2024-07-31 07:53:41,251 DEBUG [org.springframework.security.web.FilterChainProxy] - <Securing GET /oidc/jwks>
2024-07-31 07:53:41,252 DEBUG [org.springframework.security.web.FilterChainProxy] - <Secured GET /oidc/jwks>
2024-07-31 07:53:41,252 DEBUG [org.springframework.web.servlet.DispatcherServlet] - <GET "/cas/oidc/jwks", parameters={}>
2024-07-31 07:53:41,252 DEBUG [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping] - <Mapped to org.apereo.cas.oidc.web.controllers.jwks.OidcJwksEndpointController#handleRequestInternal(HttpServletRequest, HttpServletResponse, String)>
2024-07-31 07:53:41,254 DEBUG [org.springframework.web.servlet.mvc.method.annotation.HttpEntityMethodProcessor] - <Using 'application/json;q=0.8', given [text/html, application/xhtml+xml, image/avif, image/webp, image/png, image/svg+xml, application/xml;q=0.9, */*;q=0.8] and supported [application/json]>
2024-07-31 07:53:41,254 DEBUG [org.springframework.web.servlet.mvc.method.annotation.HttpEntityMethodProcessor] - <Writing [{error=invalid_request, error_description=Invalid issuer}]>
2024-07-31 07:53:41,255 DEBUG [org.springframework.web.servlet.DispatcherServlet] - <Completed 400 BAD_REQUEST>
2024-07-31 07:53:41,255 DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] - <Set SecurityContextHolder to anonymous SecurityContext>

and this for .well-known

2024-07-31 07:54:38,421 DEBUG [org.springframework.security.web.FilterChainProxy] - <Securing GET /oidc/.well-known>
2024-07-31 07:54:38,422 DEBUG [org.springframework.security.web.FilterChainProxy] - <Secured GET /oidc/.well-known>
2024-07-31 07:54:38,422 DEBUG [org.springframework.web.servlet.DispatcherServlet] - <GET "/cas/oidc/.well-known", parameters={}>
2024-07-31 07:54:38,422 DEBUG [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping] - <Mapped to org.apereo.cas.oidc.web.controllers.discovery.OidcWellKnownEndpointController#getWellKnownDiscoveryConfiguration(HttpServletRequest, HttpServletResponse)>
2024-07-31 07:54:38,424 WARN [org.apereo.cas.oidc.web.controllers.discovery.OidcWellKnownEndpointController] - <Unable to accept request; issuer for endpoint [.well-known] is invalid>
2024-07-31 07:54:38,424 DEBUG [org.springframework.web.servlet.mvc.method.annotation.HttpEntityMethodProcessor] - <Using 'application/json;q=0.8', given [text/html, application/xhtml+xml, image/avif, image/webp, image/png, image/svg+xml, application/xml;q=0.9, */*;q=0.8] and supported [application/json]>
2024-07-31 07:54:38,424 DEBUG [org.springframework.web.servlet.mvc.method.annotation.HttpEntityMethodProcessor] - <Nothing to write: null body>
2024-07-31 07:54:38,425 DEBUG [org.springframework.web.servlet.DispatcherServlet] - <Completed 404 NOT_FOUND>
2024-07-31 07:54:38,425 DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] - <Set SecurityContextHolder to anonymous SecurityContext>

I am new to using the embedded tomcat and noticed I get "Non-secure Connection" warnings on the login page despite having the following config settings:

server.servlet.context-path=/cas
server.port=8200
server.ssl.enabled=false
server.tomcat.basedir=/tmp/casbase
server.tomcat.remoteip.host-header=X-Forwarded-Host
server.tomcat.http-proxy.enabled=true
server.tomcat.http-proxy.secure=true
server.tomcat.http-proxy.scheme=https
server.tomcat.http-proxy.proxy-port=443
server.tomcat.http-proxy.redirect-port=443
server.tomcat.http-proxy.protocol=HTTP/1.1
server.tomcat.http-proxy.attributes.proxyName=[removed]
server.tomcat.ajp.enabled=false

The app is behind a proxy that handles SSL termination. I only mention this in case the issuer doesn't match because it thinks it's HTTP vs. HTTPS.

Any ideas?

Thank you,

Matt

[King, Robert]

Not sure if this is the issue, but your cas config should be:

 

#

# https://apereo.github.io/cas/7.0.x/installation/Configuring-Servlet-Container-Embedded-Tomcat.html

#

server.servlet.context-path=/cas
server.port=8200
server.ssl.enabled=false

server.tomcat.basedir=/tmp/casbase

server.tomcat.remoteip.host-header=X-Forwarded-Host

 

#

# https://apereo.github.io/cas/7.0.x/installation/Servlet-Container-Embedded-Tomcat-Proxying.html

#

cas.server.tomcat.http-proxy.enabled=true

cas.server.tomcat.http-proxy.secure=true

cas.server.tomcat.http-proxy.scheme=https

cas.server.tomcat.http-proxy.proxy-port=443

cas.server.tomcat.http-proxy.redirect-port=443

cas.server.tomcat.http-proxy.protocol=HTTP/1.1

# not sure if this is valid

# cas.server.tomcat.http-proxy.attributes.proxyName=[removed]

 

#

# https://apereo.github.io/cas/7.0.x/installation/Servlet-Container-Embedded-Tomcat-AJP.html

#

cas.server.tomcat.ajp.enabled=false

 

 

 

 

 

--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ba09cb5-eb4e-4c29-bc98-3ce813ae5d4cn%40apereo.org.

[Matthew Gordon]

Thank you Robert, that was the problem!

Thank you,

Matt