6.3 OAuth2.0+MFA: got InvalidTicketException after 2 minutes to input token
113 views
Skip to first unread message
He Vincent
Sep 30, 2021, 12:16:51 AM9/30/21
to CAS Community
Version: CAS 6.3 (CAS 5.3 has no such issue)
OAuth2.0+GAuth
How to reproduce the issue:
1. Login to the app with Oatu2.0
2. passed login page, stay on MFA page for about 2 minutes. (No issue if input it in a minute)
3. Inpute the Google Auth token
4. It got 500 internal error, with org.apereo.cas.ticket.InvalidTicketException
It has no such issue if the app is not using Oauth2.0.
Here is the log
>
2021-09-30 08:51:09,094 DEBUG [org.apereo.cas.ticket.expiration.MultiTimeUseOrTimeoutExpirationPolicy] - <Ticket usage count [1] is greater than or equal to [1]. Ticket [ST-1-xi-sY7iqar4RbUvxXbPfMncPnoo-xxxxxx-slicas] has expired>
2021-09-30 08:51:09,094 DEBUG [org.apereo.cas.ticket.registry.MongoDbTicketRegistry] - <Locating ticket ticketId [ST-1-xi-sY7iqar4RbUvxXbPfMncPnoo-xxxxxx-slicas]>
2021-09-30 08:51:09,094 DEBUG [org.apereo.cas.ticket.registry.MongoDbTicketRegistry] - <Locating collection name [serviceTicketsCollection] for ticket definition [DefaultTicketDefinition(implementationClass=class org.apereo.cas.ticket.ServiceTicketImpl, prefix=ST, properties=DefaultTicketDefinitionProperties(cascadeRemovals=false, storageName=serviceTicketsCollection, storageTimeout=300, storagePassword=null, excludeFromCascade=false), order=-2147483648)]>
2021-09-30 08:51:09,095 DEBUG [org.apereo.cas.ticket.registry.MongoDbTicketRegistry] - <Located MongoDb collection instance [serviceTicketsCollection]>
2021-09-30 08:51:09,103 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Removing ticket [ST-1-xi-sY7iqar4RbUvxXbPfMncPnoo-xxxxxx-slicas] from the registry.>
2021-09-30 08:51:09,103 DEBUG [org.apereo.cas.ticket.registry.MongoDbTicketRegistry] - <Deleting ticket [ST-1-xi-sY7iqar4RbUvxXbPfMncPnoo-xxxxxx-slicas]>
2021-09-30 08:51:09,104 DEBUG [org.apereo.cas.ticket.registry.MongoDbTicketRegistry] - <Locating collection name [serviceTicketsCollection] for ticket definition [DefaultTicketDefinition(implementationClass=class org.apereo.cas.ticket.ServiceTicketImpl, prefix=ST, properties=DefaultTicketDefinitionProperties(cascadeRemovals=false, storageName=serviceTicketsCollection, storageTimeout=300, storagePassword=null, excludeFromCascade=false), order=-2147483648)]>
2021-09-30 08:51:09,104 DEBUG [org.apereo.cas.ticket.registry.MongoDbTicketRegistry] - <Located MongoDb collection instance [serviceTicketsCollection]>
2021-09-30 08:51:09,107 DEBUG [org.apereo.cas.ticket.registry.MongoDbTicketRegistry] - <Deleted ticket [ST-1-xi-sY7iqar4RbUvxXbPfMncPnoo-xxxxxx-slicas] with result [AcknowledgedDeleteResult{deletedCount=1}]>
2021-09-30 08:51:09,108 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: us...@mydomain.com
WHAT: ST-1-xi-sY7iqar4RbUvxXbPfMncPnoo-xxxxxx-slicas for https://login.mydomain.com/cas/oauth2.0/callbackAuthorize?client_id=alpha&redirect_uri=https%3A%2F%2Falpha-stage.mydomainglo...
ACTION: SERVICE_TICKET_VALIDATE_SUCCESS
APPLICATION: CAS
WHEN: Thu Sep 30 08:51:09 CST 2021
CLIENT IP ADDRESS: 10.16.14.77
SERVER IP ADDRESS: 10.13.23.92
=============================================================
>
2021-09-30 08:51:09,171 DEBUG [org.apereo.cas.ticket.registry.MongoDbTicketRegistry] - <Locating ticket ticketId [TGT-1-*****Jetbc5m7zU-xxxxxx-slicas]>
2021-09-30 08:51:09,172 DEBUG [org.apereo.cas.ticket.registry.MongoDbTicketRegistry] - <Locating collection name [ticketGrantingTicketsCollection] for ticket definition [DefaultTicketDefinition(implementationClass=class org.apereo.cas.ticket.TicketGrantingTicketImpl, prefix=TGT, properties=DefaultTicketDefinitionProperties(cascadeRemovals=false, storageName=ticketGrantingTicketsCollection, storageTimeout=28800, storagePassword=null, excludeFromCascade=false), order=2147483647)]>
2021-09-30 08:51:09,172 DEBUG [org.apereo.cas.ticket.registry.MongoDbTicketRegistry] - <Located MongoDb collection instance [ticketGrantingTicketsCollection]>
2021-09-30 08:51:09,195 DEBUG [org.apereo.cas.support.oauth.web.OAuth20CasCallbackUrlResolver] - <Final resolved callback URL is [https://login.mydomain.com/cas/oauth2.0/callbackAuthorize?client_id=alpha&redirect_uri=https%3A%2F%2Falpha-stage.mydomain.com%2Fwebsso%3Freturn_uri%3D+https%3A%2F%2Falpha-stage.mydomain.com&response_type=code]>
2021-09-30 08:51:09,197 DEBUG [org.apereo.cas.ticket.registry.MongoDbTicketRegistry] - <Locating ticket ticketId [ST-1-xi-sY7iqar4RbUvxXbPfMncPnoo-xxxxxx-slicas]>
2021-09-30 08:51:09,197 DEBUG [org.apereo.cas.ticket.registry.MongoDbTicketRegistry] - <Locating collection name [serviceTicketsCollection] for ticket definition [DefaultTicketDefinition(implementationClass=class org.apereo.cas.ticket.ServiceTicketImpl, prefix=ST, properties=DefaultTicketDefinitionProperties(cascadeRemovals=false, storageName=serviceTicketsCollection, storageTimeout=300, storagePassword=null, excludeFromCascade=false), order=-2147483648)]>
2021-09-30 08:51:09,197 DEBUG [org.apereo.cas.ticket.registry.MongoDbTicketRegistry] - <Located MongoDb collection instance [serviceTicketsCollection]>
2021-09-30 08:51:09,200 WARN [org.apereo.cas.DefaultCentralAuthenticationService] - <Service ticket [ST-1-xi-sY7iqar4RbUvxXbPfMncPnoo-xxxxxx-slicas] does not exist.>
2021-09-30 08:51:09,201 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: ST-1-xi-sY7iqar4RbUvxXbPfMncPnoo-xxxxxx-slicas for https://login.mydomain.com/cas/oauth2.0/callbackAuthorize?client_id=alpha&redirect_uri=https%3A%2F%2Falpha-stage.mydomainglo...
ACTION: SERVICE_TICKET_VALIDATE_FAILED
APPLICATION: CAS
WHEN: Thu Sep 30 08:51:09 CST 2021
CLIENT IP ADDRESS: 10.16.14.77
SERVER IP ADDRESS: 10.13.23.92
=============================================================
He Vincent
Sep 30, 2021, 12:24:46 AM9/30/21
to CAS Community, He Vincent
From the log,
It passed MFA of gauth.
it seems ST had expired and was deleted. So the ST dis not exist any longer.
It is strange that it seems that it had trigger 2 SERVICE_TICKET_VALIDATE, first was success, the 2nd was failed.
If I inputed the token within a minutes, it will trigger only one SERVICE_TICKET_VALIDATE, and it will not expired/delete the ST either. It was deleted at the Ticket_Destroyed phase.
Is it a bug? I tried variouse time-to-live, or time-to-kill paameters . It did not help.
Ray Bon
Oct 1, 2021, 12:06:37 PM10/1/21
to cas-...@apereo.org, vince...@gmail.com
Vincent,
I encountered similar behaviour but have not had time to see if it is the same in 6.4 or why this happened at all.
There is this property you could try
cas.ticket.st.number-of-uses=
Ray
On Wed, 2021-09-29 at 21:24 -0700, He Vincent wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose historical relationships with the land continue to this day.
Reply all
Reply to author
Forward
0 new messages