OIDC Delegation
214 views
Skip to first unread message
Riaan Stegmann
May 24, 2016, 7:10:41 AM5/24/16
to CAS Community
Good Day
Ive setup Oidc login delegation in CAS to a custom provider. The authentication via the provider is successfull, and I get redirected back to CAS, however, then I get the "CAS is unavailable" error with the following debug in the log:
I've been at this for about 2 weeks with no success, can anyone point me in the right direction?
CAS version: 4.2.1
Tomcat: 7
Java 8
Ive setup Oidc login delegation in CAS to a custom provider. The authentication via the provider is successfull, and I get redirected back to CAS, however, then I get the "CAS is unavailable" error with the following debug in the log:
2016-05-24 10:32:32,450 DEBUG [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Warning cookie path is set to null and path /cas/>
2016-05-24 10:32:32,459 DEBUG [org.jasig.cas.web.flow.InitialFlowSetupAction] - <TGC cookie path is set to null and path /cas/>
2016-05-24 10:32:32,460 DEBUG [org.jasig.cas.web.support.DefaultArgumentExtractor] - <No service could be extracted based on the given request>
2016-05-24 10:32:32,460 DEBUG [org.jasig.cas.web.support.DefaultArgumentExtractor] - <Extractor did not generate service.>
2016-05-24 10:32:32,460 DEBUG [org.jasig.cas.support.pac4j.web.flow.ClientAction] - <clientName: OidcClient>
2016-05-24 10:32:32,460 DEBUG [org.jasig.cas.support.pac4j.web.flow.ClientAction] - <client: <OidcClient> | name: OidcClient |>
2016-05-24 10:32:32,461 DEBUG [org.pac4j.oidc.client.OidcClient] - <Authentication request url : http://gen-dev.dhcp.meraka.csir.co.za:8000/authorize?response_type=code&client_id=860728&redirect_uri=http%3A%2F%2Fgen-dev.dhcp.meraka.csir.co.za%3A8080%2Fcas%2Flogin%3Fclient_name%3DOidcClient&scope=openid+profile&state=3nYYf3I7t4Be7eP3ekUWTv7ZthxnRkqtgct1xqg3Z-Y&display=page>
2016-05-24 10:32:32,461 DEBUG [org.jasig.cas.support.pac4j.web.flow.ClientAction] - <requires http action: {}
<RequiresHttpAction> | code: 302 |
at org.pac4j.core.exception.RequiresHttpAction.redirect(RequiresHttpAction.java:50)
...
>
2016-05-24 10:32:32,489 DEBUG [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Warning cookie path is set to null and path /cas/>
2016-05-24 10:32:32,490 DEBUG [org.jasig.cas.web.flow.InitialFlowSetupAction] - <TGC cookie path is set to null and path /cas/>
2016-05-24 10:32:32,490 DEBUG [org.jasig.cas.web.support.DefaultArgumentExtractor] - <No service could be extracted based on the given request>
2016-05-24 10:32:32,490 DEBUG [org.jasig.cas.web.support.DefaultArgumentExtractor] - <Extractor did not generate service.>
2016-05-24 10:32:32,491 DEBUG [org.jasig.cas.support.pac4j.web.flow.ClientAction] - <clientName: OidcClient>
2016-05-24 10:32:32,491 DEBUG [org.jasig.cas.support.pac4j.web.flow.ClientAction] - <client: <OidcClient> | name: OidcClient |>
2016-05-24 10:32:32,491 DEBUG [org.pac4j.oidc.client.OidcClient] - <Authentication response successful, get authorization code>
2016-05-24 10:32:32,491 DEBUG [org.jasig.cas.support.pac4j.web.flow.ClientAction] - <credentials: org.pac4j.oidc.credentials.OidcCredentials@514464be>
2016-05-24 10:32:32,492 DEBUG [org.jasig.cas.support.pac4j.web.flow.ClientAction] - <retrieve service: null>
2016-05-24 10:32:32,492 DEBUG [org.jasig.cas.support.pac4j.authentication.handler.support.ClientAuthenticationHandler] - <clientCredentials org.jasig.cas.authentication.principal.ClientCredential@2b33af5f>
2016-05-24 10:32:32,492 DEBUG [org.jasig.cas.support.pac4j.authentication.handler.support.ClientAuthenticationHandler] - <clientName: OidcClient>
2016-05-24 10:32:32,493 DEBUG [org.jasig.cas.support.pac4j.authentication.handler.support.ClientAuthenticationHandler] - <client: <OidcClient> | name: OidcClient |>
2016-05-24 10:32:32,493 DEBUG [org.pac4j.oidc.client.OidcClient] - <credentials : org.pac4j.oidc.credentials.OidcCredentials@514464be>
2016-05-24 10:32:32,498 DEBUG [org.pac4j.oidc.client.OidcClient] - <Token response: status=400, content={"error_description": "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)", "error": "invalid_client"}
>
2016-05-24 10:32:32,499 ERROR [org.pac4j.oidc.client.OidcClient] - <Bad token response, error=invalid_client>
2016-05-24 10:32:32,499 DEBUG [org.jasig.cas.support.pac4j.authentication.handler.support.ClientAuthenticationHandler] - <userProfile: null>
2016-05-24 10:32:32,505 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <ClientAuthenticationHandler failed authenticating org.jasig.cas.authentication.principal.ClientCredential@2b33af5f>
2016-05-24 10:32:32,506 DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <ClientAuthenticationHandler exception details: Authentication did not produce a user profile for: org.jasig.cas.authentication.principal.ClientCredential@2b33af5f>
2016-05-24 10:32:32,507 DEBUG [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - <Resolving argument [AuthenticationTransaction] for audit>
2016-05-24 10:32:32,507 DEBUG [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - <Resolving argument [ClientCredential] for audit>
2016-05-24 10:32:32,507 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: org.jasig.cas.authentication.principal.ClientCredential@2b33af5f
WHAT: Supplied credentials: [org.jasig.cas.authentication.principal.ClientCredential@2b33af5f]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Tue May 24 10:32:32 GMT 2016
CLIENT IP ADDRESS: 146.64.28.93
SERVER IP ADDRESS: 172.18.0.2
=============================================================
>
2016-05-24 10:32:32,509 DEBUG [org.jasig.cas.web.FlowExecutionExceptionResolver] - <Ignoring the received exception due to a type mismatch
org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.jasig.cas.support.pac4j.web.flow.ClientAction@71a83b32 in state 'clientAction' of flow 'login' -- action execution attributes were 'map[[empty]]'I've been at this for about 2 weeks with no success, can anyone point me in the right direction?
CAS version: 4.2.1
Tomcat: 7
Java 8
Jérôme LELEU
May 25, 2016, 1:59:56 AM5/25/16
to Riaan Stegmann, CAS Community
Hi,
You get an error from your OpenID Connect provider when trying to retrieve the token (https://github.com/pac4j/pac4j/blob/1.8.x/pac4j-oidc/src/main/java/org/pac4j/oidc/client/OidcClient.java#L436)
2016-05-24 10:32:32,498 DEBUG [org.pac4j.oidc.client.OidcClient] - <Token response: status=400, content={"error_description": "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)","error": "invalid_client"}
>
2016-05-24 10:32:32,499 ERROR [org.pac4j.oidc.client.OidcClient] - <Bad token response, error=invalid_client>
>
2016-05-24 10:32:32,499 ERROR [org.pac4j.oidc.client.OidcClient] - <Bad token response, error=invalid_client>
Don't you have anything relevant on the provider side logs ?
Thanks.
Best regards,
Jérôme
--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b9836a8c-861a-495d-898b-bf1995a819d5%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
Riaan Stegmann
May 25, 2016, 7:38:36 AM5/25/16
to CAS Community, riaan...@gmail.com
Hi
So After my question I decided to test google as an oidc provider as well, and turns out my redirect URI was incorrect, or more accurately, incomplete. Seems that CAS appends a parameter/query string to the redirect URI:Which I did not include in my provider redirect URI. This resulted in the error, after I changed that, I could authenticate via Google. Now I just need to change my provider to accept params as part of the redirect URI, then I can go further.
Thank you
So After my question I decided to test google as an oidc provider as well, and turns out my redirect URI was incorrect, or more accurately, incomplete. Seems that CAS appends a parameter/query string to the redirect URI:
client_name=OidcClientThank you
Jérôme LELEU
May 26, 2016, 7:19:17 AM5/26/16
to Riaan Stegmann, CAS Community
Hi,
Indeed, it's the behaviour of underlying pac4j library: the client_name is always specified on the callback endpoint, to be able to use multiple clients on the same callback url.
Thanks.
Best regards,
Jérôme
--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/eed7c3e3-b644-49ee-aac2-63f33d6e5c54%40apereo.org.
Gena Batalski
Jun 23, 2017, 9:10:19 AM6/23/17
to CAS Community, riaan...@gmail.com
Hello,
it seems that at least Azure doesn't accept additonal query parameters anymore: the client_name ist just removed from the redirect url. I've found an article here explaining the problem. So i think, the client_name should be changed in favour of extended state usage. As i understand the only allowed parameter for custom information is the state
Also it were heplful to support different HTTP methods for redirect responses. For Azure this is done via
Regards,
Gena
it seems that at least Azure doesn't accept additonal query parameters anymore: the client_name ist just removed from the redirect url. I've found an article here explaining the problem. So i think, the client_name should be changed in favour of extended state usage. As i understand the only allowed parameter for custom information is the state
Also it were heplful to support different HTTP methods for redirect responses. For Azure this is done via
response_mode=form_post Regards,
Gena
Reply all
Reply to author
Forward
0 new messages