CAS 4.2.1 as google openid connect client

[Bryce Nordgren]

Trying to add Google as an OpenID Connect provider to a CAS 4.2.1 installation having LDAP/AD. Following the instructions on http://jasig.github.io/cas/4.2.x/integration/Delegate-Authentication.html, I added the dependency to the pom and redeployed the webapp. I got a client id and a secret from google, and placed them in the cas.properties file (but I have a lot of blanks I don't know what to do with): 

cas.pac4j.oidc.id=<mine>.apps.googleusercontent.com
cas.pac4j.oidc.secret=<secret>
cas.pac4j.oidc.discoveryUri=https://accounts.google.com/.well-known/openid-configuration
# cas.pac4j.oidc.useNonce=
# cas.pac4j.oidc.preferredJwsAlgorithm=
# cas.pac4j.oidc.maxClockSkew=
# cas.pac4j.oidc.customParamKey1=
# cas.pac4j.oidc.customParamValue1=
# cas.pac4j.oidc.customParamKey2=
# cas.pac4j.oidc.customParamValue2=

When I go to the login screen, it says "Or login with: Oidc". First, I want that to say "or login with Google" and show the google logo. Is there a way to do that? Second, clicking on the link just takes me to my own site and displays the error page:

2016-05-02 20:03:00,762 DEBUG [org.jasig.cas.support.pac4j.web.flow.ClientAction] - Oidc -> http://mine:8080/cas/login?client_name=OidcClient&needs_client_redirection=true

Note: instead of "mine:8080", the log actually lists my real DNS name. Also, I'm proxying through apache httpd, and until now I had no reason to have port 8080 open. Can I make it use https://mine:443/? I have found nothing in the logs related to landing on the error page. However, when Tomcat starts up, I get many errors similar to these:

SEVERE: Unable to process Jar entry [javassist/util/proxy/SerializedProxy.class] from Jar [jar:file:/usr/share/tomcat/webapps/cas/WEB-INF/lib/javassist-3.19.0-GA.jar!/] for annotations
java.io.EOFException

These errors were not present before I added the pac4j maven dependency. I've seen some indications on the web that I might be able to ignore this(?): https://bz.apache.org/bugzilla/show_bug.cgi?id=57173#c16 ? 

I am using a Centos 7 box with Tomcat 7.0.54 and this environment:

******************** Welcome to CAS *******************
CAS Version: 4.2.1
Build Date/Time: 2016-04-01T05:04:30.000Z
Java Home: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.91-0.b14.el7_2.x86_64/jre
Java Vendor: Oracle Corporation
Java Version: 1.8.0_91
OS Architecture: amd64
OS Name: Linux
OS Version: 3.10.0-327.13.1.el7.x86_64
*******************************************************

Any help would be appreciated.
Thanks much,
Bryce

[Misagh Moayyed]

1.       Yes. Edit the Login Page with your own text.

2.       You’ll need to modify your cas.properties with the correct CAS prefix, etc.

3.       Likely an issue with that tomcat version. Upgrade and don’t use the packaged tomcat on CentOS.

 

--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/be524d4e-9e2c-4e91-965e-1b6eb2a65c64%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[Aymar Anli]

Hi,

It doesn't work for me too.

In cas.properties
 cas.pac4j.oidc.id=<xxx>.apps.googleusercontent.com
 cas.pac4j.oidc.secret=<xxx>
 cas.pac4j.oidc.discoveryUri=https://accounts.google.com/.well-known/openid-configuration

I have "Cas is Unavailable" when I click to Oidc link (http://localhost:8080/cas/login?client_name=OidcClient&needs_client_redirection=true)

Nothing special in the log file (debug level).

CAS 4.2.4
test with tomcat 7.0.69 and tomcat 8.5.4
java 1.7.0_95

Note : It works well with Oauth server (facebook) and with CAS server. None with OIDC (google)

Any help would be appreciated,
Regards,
Aymar

[Jérôme LELEU]

Hi,

I just upgraded my demo with OpenID Connect support: https://github.com/leleuj/cas-pac4j-oauth-demo/commit/634c8b5564e50b4e98cf9addeb46c6887cace69f and it works for 4.2.3 and 4.2.4.

The "Oidc" link redirects me to Google.

Thanks.

Best regards,

Jérôme

--
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2d0452f7-6244-48e9-8d1c-ff13720f6584%40apereo.org.

[Aymar Anli]

Hi Jérôme,

Thx very much for your reply.
Oidc works well with your demo.
Note: your demo google oidc id doesn't authorize http://localhost:8080 URI

If I follow instructions at 
https://apereo.github.io/cas/4.2.x/integration/Delegate-Authentication.html 
it doesn't work.
In your demo pom.xml you included other dependencies instead of 
"cas-server-support-pac4j-webflow".

Thanks,
regards,
Aymar

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

[Misagh Moayyed]

Post your overlay here https://github.com/cas-projects/cas-issues please.

-- 
Misagh

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/029c5b37-f4ee-45df-b62b-dfdf4014e494%40apereo.org.

[Aymar Anli]

- issue done
- bug fixed in cas 4.2.5

It works well now for me (test with tomcat 7 and cas 4.2.5-SNAPSHOT)

Thx very much Misagh!
Best regards

[Aymar Anli]

for precision, I tested with FranceConnect Oidc server