CAS 5.2.2 OIDC Profile Lookup on accessToken

[Ryan Rolland]

Greetings,

I am working with CAS 5.2.2 and trying to authenticate an existing client application [Client app is using a UAA server (https://github.com/cloudfoundry/uaa)] that supports OIDC.

The call to:

/cas/oidc/authorize

is succeeding. The problems happen when the client (server side [not browser]) tries to call:

cas/oidc/accessToken/

the following parameters are passed with this call:

grant_type=authorization_code

code=OC-13-INRciVjflpa1elco2HOuIvOSNlTRIRT4fPO

response_type=id_token

redirect_uri=https://localhost:1238/login/callback/cas

I can debug the CAS 5.2.2 server and see that the call is failing with a "Could not locate authenticated profile for this request".

The root cause for this failure is that no profile is being returned from the ProfileManager.retrieveAll method. There is neither a profile stored in the request or stored in the session. It makes sense that there is no profile stored in the session because it is a (client) UAA server side HTTP Request that is calling '/cas/oidc/accessToken', i.e. not the browser. Is there a mechanism to get at the profile here that I am not seeing? Perhaps using the passed in 'code' parameter to lookup the profile from the ticket registry?

Thanks in advance for any help troubleshooting this!

[Ryan Rolland]

I am still wrestling with this one. I put together the following stackoverflow post:

https://stackoverflow.com/questions/49201476/uaa-client-cas5-idp-oidc-pac4j-session-profile-missing-accesstoken

[Ryan Rolland]

I am using 5.1.0 not 5.2.2. I had rolledback to 5.1.0 around this time.

The problem still exists in the 5.1.0 code. I resolved by modified the OidcIdTokenGeneratorService to pull the CLAIM_PREFERRED_USERNAME from the TGT:

        if (!claims.hasClaim(OidcConstants.CLAIM_PREFERRED_USERNAME)) {

            String username = accessTokenId.getGrantingTicket().getAuthentication().getCredentials().get(0).getId();

            claims.setClaim(OidcConstants.CLAIM_PREFERRED_USERNAME, username);

        }

vs

        if (!claims.hasClaim(OidcConstants.CLAIM_PREFERRED_USERNAME)) {

            claims.setClaim(OidcConstants.CLAIM_PREFERRED_USERNAME, profile.getId());

        }

There were some other calls upstream in the OAuth20AccessTokenEndpointController to get the CLIENT_ID via pac4j. The CLIENT_ID is also available as a request param. Changed calls similar to:

final String clientId = uProfile.getId();

to

final String clientId = request.getParameter(OAuth20Constants.CLIENT_ID);

On Tuesday, March 6, 2018 at 11:49:12 AM UTC-10, Ryan Rolland wrote: