Android WebView in Gmail App Fails Due to CAS 7.x LocalStorage Usage

835 views
Skip to first unread message

Mark Oliver

unread,
Jan 6, 2025, 9:36:31 AM1/6/25
to CAS Community
Hello,

We recently attempted to upgrade our CAS installation from 6.6 to 7.x and encountered a blocking issue with Android’s embedded WebView (specifically in the Gmail app).

In CAS 7.x, the default src/main/static/js/cas.js file appears to rely more heavily on localStorage. However, the Gmail app’s built-in WebView which is used for registering an account does not properly support localStorage. This leads to errors in the authentication flow, causing the WebView browser to hang after CAS credentials are submitted. In CAS 6.6, the code primarily used sessionStorage, and this issue never arose.

To work around the problem, I’ve updated cas.js so that it first checks if localStorage is available, and if not, it falls back to an in-memory object or to sessionStorage. This resolves the problem for our users.

- So firstly is this a known issue, as of 7.1.3 that issue still remains.
- If a fix is welcome, where should I submit a pull request for the src/main/static/js/cas.js file?

Cheers.
Mark

Ray Bon

unread,
Jan 7, 2025, 1:26:59 AM1/7/25
to cas-...@apereo.org
Message has been deleted

Jonathon Taylor

unread,
Mar 6, 2025, 8:52:01 AM3/6/25
to cas-...@apereo.org
Hi Mark,

We are running into this same issue.  Would you mind pointing me to what in the master branch version resolved this issue for you?  We are seeing the issue with 7.1.4 currently.

On Thu, Jan 9, 2025 at 9:12 AM 'Mark Oliver' via CAS Community <cas-...@apereo.org> wrote:
Thanks Ray,

I was able to find the latest file on the master branch which looks like it's been fixed:
https://github.com/apereo/cas/blob/master/support/cas-server-support-thymeleaf/src/main/resources/static/js/cas.js

Cheers.
Mark
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0f4c6d2c-a7b3-461f-9dee-d448da800e8bn%40apereo.org.


--
Jonathon Taylor (he/him)
Information Security Office

Mark Oliver

unread,
Mar 12, 2025, 9:00:46 AM3/12/25
to CAS Community, Jonathon Taylor
Hi Jonathan,

Unfortunately, that was a mistake on my part—a fix isn’t in the mentioned file.

I did submit a pull request for a fix here, but it was rejected because it changed the core functionality of CAS, and the project doesn’t want to maintain that, which is fair enough:

Going forward, we’re managing our own version of the file. Given that, I’ve simplified it by solely relying on sessionStorage.

Cheers,
Mark

David Gelhar

unread,
Apr 2, 2025, 9:18:50 AM4/2/25
to CAS Community, Mark Oliver, Jonathon Taylor
Hi Mark,

Thank you for posting that pull request. We have encountered similar problems since upgrading to CAS7 so your analysis (and workaround) is going to prove very helpful.

The attitude of the CAS project around this issue is frankly incomprehensible. They have introduced a change that completely breaks authentication for a very significant user population (Gmail on an Andoid device is not exactly a "edge case"), and then declined to accept a fix because it would be "not worth maintaining". 

Thanks,

David

Jonathon Taylor

unread,
Apr 10, 2025, 11:38:35 AM4/10/25
to David Gelhar, CAS Community, Mark Oliver
Agreed.  This does not just affect Gmail on Android, but also common applications such as GlobalProtect VPN clients and I'm sure other commonly used software.  I do appreciate the pull request and we will likely be using the solution Mark posted.

Jonathon Taylor

unread,
Apr 10, 2025, 10:38:14 PM4/10/25
to David Gelhar, CAS Community, Mark Oliver
Hi All,

There appears to be a potential solution for this being worked on in the 7.3.0-SNAPSHOT version of CAS.  The commit is here:

https://github.com/apereo/cas/commit/bf27b046e43029666dea64aba1a866bb67c010e9

I just tested this by changing my 7.2.1-SNAPSHOT build to 7.3.0-SNAPSHOT.  You can then use this property:

# This defaults to BROWSER_STORAGE
cas.authn.mfa.duo[0].session-storage-type=TICKET_REGISTRY

This appears to work and skips the interstitial pages that read/write from localstorage in the browser.  I have not yet tested this for Android but will.

Jonathon Taylor

unread,
Apr 10, 2025, 10:38:27 PM4/10/25
to David Gelhar, CAS Community, Mark Oliver
I can confirm that this fixed my issue with our Palo Alto Global Protect VPN client, which requires the Android WebView.  I do not have a way to test the Gmail app in my QA environment but I suspect it will be the same.

Thanks Misagh if you are reading this.  Hopefully this can be backported into the 7.2 branch :-)

Mark Oliver

unread,
Apr 11, 2025, 12:52:28 PM4/11/25
to Jonathon Taylor, David Gelhar, CAS Community
That's a great find! Thanks for sharing that and testing it out. I'll be watching out for the new release :-)

Cheers.
Mark
--

Mark Oliver,
Snr DevOps Engineer,
Internet Systems,
IT Services, The University of Sheffield.
Tel: +44 114 22 21144

Carl Waldbieser

unread,
Apr 11, 2025, 3:58:01 PM4/11/25
to cas-...@apereo.org, Jonathon Taylor, David Gelhar
It is in the online docs, now: https://apereo.github.io/cas/development/mfa/DuoSecurity-Authentication.html

I can confirm that the following setting corrected the related GMail app for android issue at Lafayette College in CAS v7.1.6.

cas.authn.mfa.duo[0].session-storage-type=TICKET_REGISTRY

Thanks,
Carl Waldbieser
ITS
Lafayette College


To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALb7P%3Dqs4OS%3Dhpd%3Dn5B6iMJmAr6py5xJRmJWoOR_H21kkb5kUg%40mail.gmail.com.

Mike Osterman

unread,
Jun 3, 2025, 2:24:30 PM6/3/25
to cas-...@apereo.org, Jonathon Taylor, David Gelhar
For the next person encountering this, adding the actual error message to the thread we were seeing so it will show up in search:

Unable to proceed to the next step

TypeError: Cannot read properties of null (reading 'removeltem')


Thanks,

Mike


To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALb7P%3Dqs4OS%3Dhpd%3Dn5B6iMJmAr6py5xJRmJWoOR_H21kkb5kUg%40mail.gmail.com.

Derek Badge

unread,
Jan 11, 2026, 12:41:16 AM (7 days ago) Jan 11
to CAS Community, Mike Osterman, Jonathon Taylor, David Gelhar
And  cas.authn.mfa.duo[0].session-storage-type=TICKET_REGISTRY  is deprecated now, anyone have eyes on what is supposed to fix this when this is removed?

Jonathon Taylor

unread,
Jan 13, 2026, 11:53:19 AM (5 days ago) Jan 13
to Derek Badge, CAS Community, Mike Osterman, David Gelhar
I believe the intention is for this added dependency to handle it:

I did try it with 7.3.x and I was still seeing the LocalStorage redirect so I opted to keep the deprecated settings for now since we are rushing to upgrade to 7.3.  If you are able to test that and have different results please let me know!

Davis Carlson

unread,
Jan 13, 2026, 12:28:58 PM (5 days ago) Jan 13
to CAS Community, Jonathon Taylor, CAS Community, Mike Osterman, David Gelhar, Derek Badge
Slightly off-topic, but in the same vein:

We are also in a rush to get to 7.3.x and with the deprecation of the cas.authn.oauth.session-replication.cookie.* settings we are testing with the "cas-server-support-session-ticket-registry" dependency to handle OIDC auth across multiple nodes. However we are seeing strange looping behavior during login and the logs of CAS still seem to want to generate the oauth session-replication cookie keys -- ultimately it doesn't seem to be as easy of a solution as flipping on the new  support-session-ticket-registry...

We might also look at keeping the deprecated settings around for now.
Reply all
Reply to author
Forward
0 new messages