Android WebView in Gmail App Fails Due to CAS 7.x LocalStorage Usage

[Mark Oliver]

Hello,

We recently attempted to upgrade our CAS installation from 6.6 to 7.x and encountered a blocking issue with Android’s embedded WebView (specifically in the Gmail app).

In CAS 7.x, the default src/main/static/js/cas.js file appears to rely more heavily on localStorage. However, the Gmail app’s built-in WebView which is used for registering an account does not properly support localStorage. This leads to errors in the authentication flow, causing the WebView browser to hang after CAS credentials are submitted. In CAS 6.6, the code primarily used sessionStorage, and this issue never arose.

To work around the problem, I’ve updated cas.js so that it first checks if localStorage is available, and if not, it falls back to an in-memory object or to sessionStorage. This resolves the problem for our users.

- So firstly is this a known issue, as of 7.1.3 that issue still remains.
- If a fix is welcome, where should I submit a pull request for the src/main/static/js/cas.js file?

Cheers.
Mark

[Ray Bon]

Mark,

You can start with https://apereo.github.io/cas/developer/Contributor-Guidelines.html

Ray

[Jonathon Taylor]

Hi Mark,

We are running into this same issue.  Would you mind pointing me to what in the master branch version resolved this issue for you?  We are seeing the issue with 7.1.4 currently.

On Thu, Jan 9, 2025 at 9:12 AM 'Mark Oliver' via CAS Community <cas-...@apereo.org> wrote:

Thanks Ray,

I was able to find the latest file on the master branch which looks like it's been fixed:
https://github.com/apereo/cas/blob/master/support/cas-server-support-thymeleaf/src/main/resources/static/js/cas.js

Cheers.
Mark

--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0f4c6d2c-a7b3-461f-9dee-d448da800e8bn%40apereo.org.

--

Jonathon Taylor (he/him)

Information Security Office

jona...@berkeley.edu

[Mark Oliver]

Hi Jonathan,

Unfortunately, that was a mistake on my part—a fix isn’t in the mentioned file.

I did submit a pull request for a fix here, but it was rejected because it changed the core functionality of CAS, and the project doesn’t want to maintain that, which is fair enough:

https://github.com/apereo/cas/pull/6305

Going forward, we’re managing our own version of the file. Given that, I’ve simplified it by solely relying on sessionStorage.

Cheers,

Mark

[David Gelhar]

Hi Mark,

Thank you for posting that pull request. We have encountered similar problems since upgrading to CAS7 so your analysis (and workaround) is going to prove very helpful.

The attitude of the CAS project around this issue is frankly incomprehensible. They have introduced a change that completely breaks authentication for a very significant user population (Gmail on an Andoid device is not exactly a "edge case"), and then declined to accept a fix because it would be "not worth maintaining". 

Thanks,

David

[Jonathon Taylor]

Agreed.  This does not just affect Gmail on Android, but also common applications such as GlobalProtect VPN clients and I'm sure other commonly used software.  I do appreciate the pull request and we will likely be using the solution Mark posted.

[Jonathon Taylor]

Hi All,

There appears to be a potential solution for this being worked on in the 7.3.0-SNAPSHOT version of CAS.  The commit is here:

https://github.com/apereo/cas/commit/bf27b046e43029666dea64aba1a866bb67c010e9

I just tested this by changing my 7.2.1-SNAPSHOT build to 7.3.0-SNAPSHOT.  You can then use this property:

# This defaults to BROWSER_STORAGE

cas.authn.mfa.duo[0].session-storage-type=TICKET_REGISTRY

This appears to work and skips the interstitial pages that read/write from localstorage in the browser.  I have not yet tested this for Android but will.

[Jonathon Taylor]

I can confirm that this fixed my issue with our Palo Alto Global Protect VPN client, which requires the Android WebView.  I do not have a way to test the Gmail app in my QA environment but I suspect it will be the same.

Thanks Misagh if you are reading this.  Hopefully this can be backported into the 7.2 branch :-)

[Mark Oliver]

That's a great find! Thanks for sharing that and testing it out. I'll be watching out for the new release :-)

Cheers.

Mark

--

Mark Oliver,
Snr DevOps Engineer,
Internet Systems,
IT Services, The University of Sheffield.
Tel: +44 114 22 21144

[Carl Waldbieser]

It is in the online docs, now: https://apereo.github.io/cas/development/mfa/DuoSecurity-Authentication.html

I can confirm that the following setting corrected the related GMail app for android issue at Lafayette College in CAS v7.1.6.

cas.authn.mfa.duo[0].session-storage-type=TICKET_REGISTRY

Thanks,

Carl Waldbieser

ITS

Lafayette College

To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALb7P%3Dqs4OS%3Dhpd%3Dn5B6iMJmAr6py5xJRmJWoOR_H21kkb5kUg%40mail.gmail.com.

[Mike Osterman]

For the next person encountering this, adding the actual error message to the thread we were seeing so it will show up in search:

Unable to proceed to the next step

TypeError: Cannot read properties of null (reading 'removeltem')

Thanks,

Mike

To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALb7P%3Dqs4OS%3Dhpd%3Dn5B6iMJmAr6py5xJRmJWoOR_H21kkb5kUg%40mail.gmail.com.

[Derek Badge]

And  cas.authn.mfa.duo[0].session-storage-type=TICKET_REGISTRY  is deprecated now, anyone have eyes on what is supposed to fix this when this is removed?

[Jonathon Taylor]

I believe the intention is for this added dependency to handle it:

https://apereo.github.io/cas/7.3.x/webflow/Webflow-Customization-Sessions-ServerSide-TicketRegistry.html

I did try it with 7.3.x and I was still seeing the LocalStorage redirect so I opted to keep the deprecated settings for now since we are rushing to upgrade to 7.3.  If you are able to test that and have different results please let me know!

[Davis Carlson]

Slightly off-topic, but in the same vein:

We are also in a rush to get to 7.3.x and with the deprecation of the cas.authn.oauth.session-replication.cookie.* settings we are testing with the "cas-server-support-session-ticket-registry" dependency to handle OIDC auth across multiple nodes. However we are seeing strange looping behavior during login and the logs of CAS still seem to want to generate the oauth session-replication cookie keys -- ultimately it doesn't seem to be as easy of a solution as flipping on the new  support-session-ticket-registry...

We might also look at keeping the deprecated settings around for now.

[Derek Badge]

Hi Kelly,

It is displayed during startup on cas, for example:

Mar 25 16:52:45 castest01 java[1363106]: 2026-03-25T20:52:45,803 WARN [?] - <
Mar 25 16:52:45 castest01 java[1363106]: The following settings are deprecated and scheduled to be removed in future releases of CAS. Please review the replacement settings where applicable and update your configuration accordingly.
Mar 25 16:52:45 castest01 java[1363106]:         - Deprecated Property: cas.authn.mfa.duo[0].session-storage-type = TICKET_REGISTRY

On Wed, Mar 25, 2026 at 4:46 PM Kelly Geng <ge...@miamioh.edu> wrote:

Hi Derek,

We are running into the same issue, but I couldn't find any info about that property being deprecated. Can you inform us where you get that from? That'll help us identify a solution.

Thanks,

Kelly

[Kelly Geng]

Hi Derek,

We are running into the same issue, but I couldn't find any info about that property being deprecated. Can you inform us where you get that from? That'll help us identify a solution.

Thanks,

Kelly

On Sunday, January 11, 2026 at 12:41:16 AM UTC-5 Derek Badge wrote: