Getting Service Not Authorized, trying to integrate CAS 6.3 as oidc idp for Keycloak 12

[Alcides Moraes]

Hello list,

I hope someone can help me, I'm trying to use CAS 6.3 as an OIDC identity provider to a Keycloak server version 12.0.4, however I only get the "Service Not Authorized" page from CAS.

Both servers are already up and authenticating just fine.

I've configured the Keycloak service in CAS with very minimalist json configuration, as follows:

{

"@class": "org.apereo.cas.services.OidcRegisteredService",

"clientId": "keycloak-sdr-oidc",

"clientSecret": "<secret>",

"serviceId": "<keycloak-url>/broker/cas-server-lab-oidc/endpoint",

"name": "Keycloak",

"id": 1008

}

I've configured CAS as an IDP using Keycloak GUI, passing the /oidc/.well-known URL which is working, and Keycloak autoconfigures itself, I just needed to input the clientSecret key. The serviceId configured above is the redirect uri Keycloak gives.

Authenticating with Keycloak and clicking on the CAS provider button, I get the following URL:

<cas-url>/oidc/authorize?scope=openid&state=0qSqbtCYF_DWyzLXRyiZldn2uP64J6esXeiP6UlVfNw.guRTVBHiRKw.sample-client&response_type=code&client_id=keycloak-sdr-oidc&redirect_uri=<keycloak-redirect-uri-encoded>&nonce=372Y_32lOgVg5IQDmna_mA

This gives me only the Service Not Authorized CAS page.

CAS log shows this:

• org.apereo.cas.support.oauth.validator.authorization.OAuth20AuthorizationCodeResponseTypeAuthorizationRequestValidator [WARN] Registered service [null] is not found or is not authorized for access.
• org.apereo.cas.support.oauth.web.endpoints.OAuth20AuthorizeEndpointController [ERROR] Authorize request verification failed. Authorization request is missing required parameters, or the request is not authenticated and contains no authenticated profile/principal.

I'm pretty sure my service is being loaded, I get these log msgs (I use git service registry)

• org.apereo.cas.services.GitServiceRegistry [DEBUG] Successfully pulled changes from the remote repository
• org.apereo.cas.services.AbstractServicesManager [INFO] Loaded [2] service(s) from [GitServiceRegistry].

Any hints would be appreciated, thanks in advance.

[Ray Bon]

Alcides,

Try this logger to see what services are being loaded

        <!-- DEBUG service definitions -->

        <AsyncLogger name="org.apereo.cas.adaptors.ldap.services.DefaultLdapRegisteredServiceMapper" level="debug" />

Ray

On Tue, 2021-10-19 at 15:10 -0700, Alcides Moraes wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose historical relationships with the land continue to this day.

[He Vincent]

Please be noticed that:

serviceId should be exact same as redirect_uri in /oidc/authorize call.

e.g.

 <CAS URL>/oidc/authorize?response_type=code&redirect_uri=https://test.com/demo123

serviceId="^https://test.com/demo123"

[Alcides Moraes]

Hello Ray, thanks for the help.

I use GitServiceRegistry so your logger is not outputting anything for me. 

I’ve turned on this:

<AsyncLogger name="org.apereo.cas.services" level="trace" includeLocation="true”/>

But I only get these messages

 DEBUG [org.apereo.cas.services.GitServiceRegistry] (scheduling-1) Successfully pulled changes from the remote repository
 INFO [org.apereo.cas.services.AbstractServicesManager] (scheduling-1) Loaded [1] service(s) from [GitServiceRegistry].

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/bitV1fK0_do/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/95e3adda5b70c6b582d1c20276f0d79d489d05ae.camel%40uvic.ca.

[Alcides Moraes]

Thank you, He.

Yes serviceId is already exactly like the redirect_uri sent by keycloak.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/bitV1fK0_do/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/09d820c1-d3ae-489b-815e-5023e54a7c8fn%40apereo.org.

[Ray Bon]

Ok, try this generalized version of the logger:

        <AsyncLogger name="org.apereo.cas.adaptor" level="debug" />

To be sure your service is loaded and is what you expect.

Ray

[Alcides Moraes]

Thank you, Ray

I was able to see that my service was not being loaded, only the OAuth autogenerated service was.

My service json file was missing the .json extension, doh! 🤦‍♂️ that was it, it’s now working, thanks again!

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/09dc6a44cef6cd2001c1edbf5222e33696967587.camel%40uvic.ca.