OIDC password grant_type fails to return ID Token

50 views
Skip to first unread message

nilesh choudhary

unread,
Apr 8, 2019, 4:37:12 AM4/8/19
to CAS Community

@mmoayyed @plajko


https://github.com/apereo/cas/commit/39c112c80c0021c012978dbdad095a1539605964

https://github.com/apereo/cas/pull/3193


This commit apparently broke the OIDC accesstoken API for stateless REST based authentication.

http://localhost:8080/cas/oidc/accessToken?grant_type=password&client_id=demoOIDC&username=casuser&password=Mellon

{
"access_token": "AT-1-lRVr5VLQOKabdhaWiLyLyhO0afHP3kBY",
"token_type": "bearer",
"expires_in": 28800,
"refresh_token": "RT-1-llRC4qJb0UWpmXOIiYnuTemhFdNO2wfP"
}

The response is missing ID_TOKEN. Server has below error


2019-04-08 12:44:36,024 ERROR [org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/qas].[dispatcherServlet]] - <Servlet.service() for servlet [dispatcherServlet] in context with path [/qas]
threw exception [Request processing failed; nested exception is java.lang.IllegalStateException: Cannot find service ticket issued to https://cas.example.org:8443/cas/oauth2.0/callbackAuthorize.* as p
art of the authentication context] with root cause>
java.lang.IllegalStateException: Cannot find service ticket issued to https://cas.example.org:8443/cas/oauth2.0/callbackAuthorize.* as part of the authentication context
at com.google.common.base.Preconditions.checkState(Preconditions.java:504) ~[guava-25.0-jre.jar!/:?]
at org.apereo.cas.oidc.token.OidcIdTokenGeneratorService.getOAuthServiceTicket(OidcIdTokenGeneratorService.java:178) ~[cas-server-support-oidc-5.3.9.jar!/:5.3.9]

Apparently it is being assumed that there would always be a service ticket or proxy ticket. Though I agree it is a reasonable ask to support single logout, I believe we should not fail this if only accesstoken i.e. TGT is generated for given call with no service ticket / proxy ticket called against it.


Any clue or work around for this issue?

Reply all
Reply to author
Forward
0 new messages