CAS 6.4.0, CAS 6.4.0-RC6 and CAS 6.4.0-RC5 : Issues with OIDC
1,197 views
Skip to first unread message
Guillaume EGRON
Aug 25, 2021, 5:50:43 AM8/25/21
to CAS Community
Hi,
building a cas overlay using cas initializr
{"version":"6.4.0","bootVersion":"2.5.4","sync":true,"branch":"6.4","type":"cas"}
Added OIDC support and test it with the sample client application found in the documentation https://apereo.github.io/cas/6.4.x/authentication/OIDC-Authentication.html#sample-client-applications
CAS is deployed inside Apache Tomcat external container.
Configuration in cas.properties file :
cas.server.name=https://<domain>
cas.server.prefix=${cas.server.name}/cas
cas.authn.oidc.core.issuer=${cas.server.prefix}/oidc/
https://<domain>/cas/oidc/.well-known redirects to a 404 error page
Client app redirects to CAS login page successfully, after submitting login and password, CAS redirects to Application Not Authorized to Use CAS.
In the log file, found this message : [org.apereo.cas.oidc.util.OidcRequestSupport] - <Issuer [https://<domain>/cas/oidc] defined in CAS configuration does not match the request issuer [http://<domain>/cas/oidc/authorize]>
Note that the request issuer in http (not https) and the ending /authorize endpoint
Fix the cas.properties as follow
cas.authn.oidc.core.issuer=http://<domain>/cas/oidc/authorize
Restart CAS
Client app redirects to CAS login page with error
java.lang.IllegalArgumentException: Unable to locate authentication profile
at org.apereo.cas.support.oauth.web.endpoints.OAuth20AuthorizeEndpointController.lambda$redirectToCallbackRedirectUrl$0(OAuth20AuthorizeEndpointController.java:164)
at java.base/java.util.Optional.orElseThrow(Optional.java:408)
at org.apereo.cas.support.oauth.web.endpoints.OAuth20AuthorizeEndpointController.redirectToCallbackRedirectUrl(OAuth20AuthorizeEndpointController.java:164)
at org.apereo.cas.support.oauth.web.endpoints.OAuth20AuthorizeEndpointController.handleRequest(OAuth20AuthorizeEndpointController.java:87)
at org.apereo.cas.oidc.web.controllers.authorize.OidcAuthorizeEndpointController.handleRequest(OidcAuthorizeEndpointController.java:49)
Downgrade CAS to CAS 6.4.0-RC6
Configuration in cas.properties file :
cas.server.name=https://<domain>
cas.server.prefix=${cas.server.name}/cas
cas.authn.oidc.core.issuer=${cas.server.prefix}/oidc/
https://<domain>/cas/oidc/.well-known redirect to a 404 error page
Property cas.authn.oidc.core.issuer=${cas.server.prefix}/oidc/ leads to [org.apereo.cas.oidc.util.OidcRequestSupport] - <Issuer [https://<domain>/cas/oidc] defined in CAS configuration does not match the request issuer [http://<domain>/cas/oidc/authorize]>
Fix the cas.properties as follow
cas.authn.oidc.core.issuer=http://<domain>/cas/oidc/authorize
Restart CAS
Client app redirects to CAS login page successfully, after submitting login and password, CAS redirects to Claims authorizarion page. Submit it
Browser redirect to https://<client_app_domain>:9443/simple-web-app/openid_connect_login?code=OC-x-xxxx&state=zzz&nonce=yy and display "HTTP ERROR 401 Authentication Failed: Unable to obtain Access Token: 404"
Browser redirect to https://<client_app_domain>:9443/simple-web-app/openid_connect_login?code=OC-x-xxxx&state=zzz&nonce=yy and display "HTTP ERROR 401 Authentication Failed: Unable to obtain Access Token: 404"
Downgrade CAS to CAS 6.4.0-RC5
Configuration in cas.properties file :
cas.server.name=https://<domain>
cas.server.prefix=${cas.server.name}/cas
cas.authn.oidc.core.issuer=${cas.server.prefix}/oidc/
https://<domain>/cas/oidc/.well-known redirect successfully
Client app redirects to CAS login page successfully, after submitting login and password, CAS redirects to Claims authorizarion page. Submit it
Client app displays ID Token and User Info
Did I miss some configurations inside cas.properties starting from CAS 6.4.0 RC6 ?
Or is there a bug here ?
Vaibhav Narula
Jan 10, 2022, 11:29:14 PM1/10/22
to CAS Community, Guillaume EGRON
we are also seeing the same issue in 6.4.4.2 were u able to solve it.
Vaibhav Narula
Jan 10, 2022, 11:29:21 PM1/10/22
to CAS Community, Guillaume EGRON
We are also seeing the same issue in 6.4.4.2 . Were you able to Solve this issue ?
On Wednesday, 25 August 2021 at 03:50:43 UTC-6 Guillaume EGRON wrote:
Guillaume EGRON
Jan 11, 2022, 3:27:00 AM1/11/22
to CAS Community, Vaibhav Narula, Guillaume EGRON
We did not run any tests on the 6.4.x branch since my original post, we choose to stay with 6.3.x
I've just build a new 6.4.4.2 CAS overlay template but still facing the issue.
I take a look back at the OpenID Connect documentation https://apereo.github.io/cas/6.4.x/authentication/OIDC-Authentication.html#configuration, fix the property cas.authn.oidc.core.issuer (according to the documentation, there was an unecessary trailing slash in my previous configuration). The property looks like this now :
But, that does not fix the issue
https://localhost:8443/cas/oidc/.well-known still redirects to a 404 error page
Vaibhav Narula
Jan 11, 2022, 3:57:12 AM1/11/22
to CAS Community, Guillaume EGRON, Vaibhav Narula
i was able to fix this by putting the tomcat non secure port to secure and now it'sworking.
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto"
protocolHeaderHttpsValue="https"
/>
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
SSLEnabled="false"
scheme="https" secure="true"
proxyPort="443" proxyName="example.com"
/>
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto"
protocolHeaderHttpsValue="https"
/>
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
SSLEnabled="false"
scheme="https" secure="true"
proxyPort="443" proxyName="example.com"
/>
Frédéric Lohier
Jan 11, 2022, 3:57:13 AM1/11/22
to CAS Community, Vaibhav Narula, Guillaume EGRON
Hello,
I haven't had any issue with the .well-known URL in CAS 6.3.x and CAS 6.4.x. Have you set all the other relevant OIDC settings? (claims, scopes, keys, etc. ?).
-Frederic
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9b6bb625-0458-4ae3-8a61-4776af2a2a85n%40apereo.org.
Catalin
Mar 15, 2022, 4:47:45 PM3/15/22
to CAS Community, Frédéric Lohier, Vaibhav Narula, Guillaume EGRON
Hi,
I'm having the same problem with: java.lang.IllegalArgumentException: Unable to locate authentication profile
In cas properties:
cas.authn.oidc.core.issuer=https://catalin-pc.local/cas/oidc
the json service registry (I have only this)
{
"@class" : "org.apereo.cas.services.OidcRegisteredService",
"clientId": "client_id",
"clientSecret": "client_secret",
"serviceId" : "^(https?)://.*",
"name" : "Oauth2OIDC",
"id" : 103935657744184,
"evaluationOrder" : 1,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
}
}
"@class" : "org.apereo.cas.services.OidcRegisteredService",
"clientId": "client_id",
"clientSecret": "client_secret",
"serviceId" : "^(https?)://.*",
"name" : "Oauth2OIDC",
"id" : 103935657744184,
"evaluationOrder" : 1,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
}
}
The client app/service is using spring boot (2.5.5) /spring security
The application.yml (please ignore the formatting of the yml)
debug: false
spring:
security:
oauth2:
client:
registration:
cas:
client-id: client_id
client-secret: client_secret
authorization-grant-type: authorization_code
client-authentication-method: client_secret_basic
scope: openid, profile
github:
client-id: ........
client-secret: .....
provider:
cas:
issuer-uri: https://catalin-pc.local/cas/oidc
spring:
security:
oauth2:
client:
registration:
cas:
client-id: client_id
client-secret: client_secret
authorization-grant-type: authorization_code
client-authentication-method: client_secret_basic
scope: openid, profile
github:
client-id: ........
client-secret: .....
provider:
cas:
issuer-uri: https://catalin-pc.local/cas/oidc
Spring security config below (simple as possible)
@Configuration
@EnableWebSecurity
public class WebPortalSecurity extends WebSecurityConfigurerAdapter {
@Autowired
private ClientRegistrationRepository clientRegistrationRepository;
@Override
public void configure(HttpSecurity http) throws Exception {
// I tried here to specify the CAS login page (here I'm getting that the service is not authorized to use CAS)
// http.authorizeRequests(authorizeRequests -> authorizeRequests.anyRequest().authenticated())
// .oauth2Login(oauth2-> oauth2.loginPage("https://catalin-pc.local/cas/login?service=https://catalin-pc.local/web-portal"));
@EnableWebSecurity
public class WebPortalSecurity extends WebSecurityConfigurerAdapter {
@Autowired
private ClientRegistrationRepository clientRegistrationRepository;
@Override
public void configure(HttpSecurity http) throws Exception {
// I tried here to specify the CAS login page (here I'm getting that the service is not authorized to use CAS)
// http.authorizeRequests(authorizeRequests -> authorizeRequests.anyRequest().authenticated())
// .oauth2Login(oauth2-> oauth2.loginPage("https://catalin-pc.local/cas/login?service=https://catalin-pc.local/web-portal"));
// with this code will redirect me to as /oidc/oidcAuthorize?response_type=code and will endup in the profile not found error -> debugging into the code I was seeing that this profile is somehow pac4j related??? (I also tried to integrate pac4j when doing the log in, but did not help)
http.authorizeRequests(authorizeRequests -> authorizeRequests.anyRequest().authenticated()).oauth2Login();
}
}
}
On CAS side I have a dumb implementation of: AbstractUsernamePasswordAuthenticationHandler
@Override
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(UsernamePasswordCredential upc, String s) throws GeneralSecurityException, PreventedException {
final String username = upc.getUsername();
final String password = upc.getPassword();
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(UsernamePasswordCredential upc, String s) throws GeneralSecurityException, PreventedException {
final String username = upc.getUsername();
final String password = upc.getPassword();
final HashMap<String, List<Object>> attributes = new HashMap<>();
final ArrayList<Object> value = new ArrayList<>();
//put some dummy attributes here
final ArrayList<Object> value = new ArrayList<>();
//put some dummy attributes here
attributes.put("profile", value);
value.add("oidc profile");
value.add("oidc profile");
return createHandlerResult(upc, this.principalFactory.createPrincipal(username, attributes));
}
}
this.context.getRequestAttribute("pac4jUserProfiles").ifPresent((requestAttribute) -> {
profiles.putAll((Map)requestAttribute);
});
profiles.putAll((Map)requestAttribute);
});
here that attribute definitely is not present on my flow, hence ending up in the error...
The profile will try to be returned
like this: (this is pac4j related code). I tried to integrate a pac4j
authentication like this: https://apereo.github.io/cas/development/authentication/Pac4j-Authentication.html#overview
I'm only interested now in the happy flow, so that with that dumb authenticator, similar with my simplified one that does no checks
Things to note:
- I tried to minimize things so I removed any pages changes we had or other custom things to keep CAS as close to the overlay template that is being provided
- I tried some 6.4.X versionsm, 6.5.1, and 6.6.0-RC1 (same issue), I wanted to try latest version of 6.3.X but there were some issues with java17 and spring version
- From the above app/service spring security configuration, I'm able to do a login with github (the flow seems to be similar, it goes to that authorize, and if I'm not logged in in github, I'm seeing the github login page)
- I can authenticate to https://.../cas/login -> with the code provided above, as well I'm seeing those attribute in the principal and I'm seeing the authentication
- If I try to authenticate like this: https://.../cas/login?service=https:// then I'm getting Application Not Authorized to Use CAS, even though in the service registry I added a broader pattern to match the service id: ^(https?)://.*
- If I try to access directly the app, then i get this:
-
.well-known works properly,
- java.lang.IllegalArgumentException: Unable to locate authentication profile at org.apereo.cas.support.oauth.web.endpoints.OAuth20AuthorizeEndpointController.lambda$redirectToCallbackRedirectUrl$0(OAuth20AuthorizeEndpointController.java:170)
Any hints on what I might be doing wrong are highly appreciated
Thanks,
C
Meysam Shirazi
May 15, 2023, 11:25:04 PM5/15/23
to CAS Community, dark...@gmail.com, fred...@lohier.org, Vaibhav Narula, Guillaume EGRON
Hi,
I followed the below configuration, and everything worked fine:
CAS Version 6.6.x
cas.properties
cas.authn.oauth.crypto.encryption.key=0ZJCKvFSVO6PUKlzUqWzE5eXDerK_T7G1oSfGHfaAGM
cas.authn.oauth.crypto.signing.key=_d6j3pacsAy_V7WP55RB-H0HtwfSawKav6aV8rUPuRPBDqDhAeJXpqjrtZwqTiUPkNOz2jcb5nLqJJ73ygqROw
cas.authn.oauth.access-token.crypto.encryption.key=8wK97XDbYzeDhSzZgfcFWp3SHW_Lr-h69cGtWYZjJz0
cas.authn.oauth.access-token.crypto.signing.key=pqhKnchYuvHNze33lPJXZaxmaSLSQpKQS9PttqplwblZfgRnufcElzxfL52g8CClOJnp5OKZwxcBzQF69Tw_-Q
cas.authn.oidc.core.issuer=https://oauth.iritco.ir/cas/oidc
cas.authn.oidc.jwks.file-system.jwks-file=file:///etc/cas/config/keystore.jwks
cas.authn.oauth.crypto.signing.key=_d6j3pacsAy_V7WP55RB-H0HtwfSawKav6aV8rUPuRPBDqDhAeJXpqjrtZwqTiUPkNOz2jcb5nLqJJ73ygqROw
cas.authn.oauth.access-token.crypto.encryption.key=8wK97XDbYzeDhSzZgfcFWp3SHW_Lr-h69cGtWYZjJz0
cas.authn.oauth.access-token.crypto.signing.key=pqhKnchYuvHNze33lPJXZaxmaSLSQpKQS9PttqplwblZfgRnufcElzxfL52g8CClOJnp5OKZwxcBzQF69Tw_-Q
cas.authn.oidc.core.issuer=https://oauth.iritco.ir/cas/oidc
cas.authn.oidc.jwks.file-system.jwks-file=file:///etc/cas/config/keystore.jwks
Service definition:
{
"@class" : "org.apereo.cas.services.OidcRegisteredService",
"clientId": "clientid",
"clientSecret": "clientSecret",
"serviceId" : "http://localhost:3000/(.*)",
"name" : "OAuthService",
"id" : 100001,
"scopes" : [ "java.util.HashSet", [ "profile", "openid" ] ],
"idTokenIssuer": "https://oauth.iritco.ir/cas/oidc"
}
"@class" : "org.apereo.cas.services.OidcRegisteredService",
"clientId": "clientid",
"clientSecret": "clientSecret",
"serviceId" : "http://localhost:3000/(.*)",
"name" : "OAuthService",
"id" : 100001,
"scopes" : [ "java.util.HashSet", [ "profile", "openid" ] ],
"idTokenIssuer": "https://oauth.iritco.ir/cas/oidc"
}
Sample request:
I got the same error (Unable to locate authentication profile) when I used OAuthRegisteredService instead of OidcRegisteredService, so it was solely due to using OidcRegisteredService in the service definition.
I hope it can help you.
Meysam Shirazi
Nov 14, 2023, 2:50:27 PM11/14/23
to CAS Community, Meysam Shirazi, dark...@gmail.com, fred...@lohier.org, Vaibhav Narula, Guillaume EGRON
Reply all
Reply to author
Forward
0 new messages