CAS 6.3.7.4 Delegate Authentication breaks OAuth2/OIDC

[Alfonso Vera]

Hi all . We have a 6.3.7.3 installation its works fine. I use a oidc service without problem but when I use Delegated authentication multiple internal calls don't work

Example:

2022-02-06 17:29:09,191 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <{"who":"alfonso.vera@xxxxxx","what":"TGT-4-*****H8qy45pStA-XXXX","action":"TICKET_GRANTING_TICKET_CREATED","application":"CAS","when":"Sun Feb 06 17:29:09 CET 2022","clientIpAddress":"X.Y.Z.Z","serverIpAddress":"X.Y.Z.X"}>

2022-02-06 17:29:09,243 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <{"who":"alfonso.vera@xxxxxx","what":"[result=Service Access Granted,service=https://oidc.service,requiredAttributes={}]","action":"SERVICE_ACCESS_ENFORCEMENT_TRIGGERED","application":"CAS","when":"Sun Feb 06 17:29:09 CET 2022","clientIpAddress":"X.Y.Z.Z","serverIpAddress":""X.Y.Z.X""}>

2022-02-06 17:29:09,258 INFO [org.apereo.cas.DefaultCentralAuthenticationService] - <Granted service ticket [ST-4-CcdY-FDXqU7kFJcycxWQ5koTK08-XXXX] for service [https://oidc.service] and principal [alfonso.vera@xxxxxxx]>

2022-02-06 17:29:09,258 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <{"who":"alfonso.vera@xxxxxx","what":"ST-4-CcdY-FDXqU7kFJcycxWQ5koTK08-XXXX for https://casserver.com/cas/oauth2.0/callbackAuthorize?client_id=webservice&redirect_uri=https%3A%2F%2Foicd.service%2F...","action":"SERVICE_TICKET_CREATED","application":"CAS","when":"Sun Feb 06 17:29:09 CET 2022","clientIpAddress":"155.54.193.217","serverIpAddress":"X.Y.Z.X""}>

2022-02-06 17:29:09,338 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <{"who":"audit:unknown","what":"[result=Service Access Granted,service=https://oidc.service,principal=SimplePrincipal(id=alfonso.vera@xxxxxx, attributes={bla,bla,bla}),requiredAttributes={}]","action":"SERVICE_ACCESS_ENFORCEMENT_TRIGGERED","application":"CAS","when":"Sun Feb 06 17:29:09 CET 2022","clientIpAddress":"X.Y.Z.Z","serverIpAddress":"X.Y.Z.X""}>

2022-02-06 17:29:09,354 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <{"who":"alfonso.vera@xxxxxx","what":"ST-4-CcdY-FDXqU7kFJcycxWQ5koTK08-XXXX for https://casserver.com/cas/oauth2.0/callbackAuthorize?client_id=webservice&redirect_uri=https%3A%2F%2Foidc.service%2F...","action":"SERVICE_TICKET_VALIDATE_SUCCESS","application":"CAS","when":"Sun Feb 06 17:29:09 CET 2022","clientIpAddress":"X.Y.Z.Z","serverIpAddress":"X.Y.Z.X"}>

blablabla OC-ticket etc...

But if we use oicd service with delegated authentication.....

2022-02-06 18:43:18,434 INFO [org.apereo.cas.web.flow.DelegatedClientAuthenticationAction] - <Credentials are successfully authenticated using the delegated client [delegateclient]>

2022-02-06 18:43:18,670 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <{"who":"iduser","what":"TGT-5-*****h0SWl2C7ZY-XXXXXXX","action":"TICKET_GRANTING_TICKET_CREATED","application":"CAS","when":"Sun Feb 06 18:43:18 CET 2022","clientIpAddress":"X.Y.Z.Z","serverIpAddress":"X.Y.Z.X"}>

2022-02-06 18:43:18,719 INFO [org.apereo.cas.DefaultCentralAuthenticationService] - <Granted service ticket [ST-5-eAKwsc-4Yc-94WBpZH6tJsoKOJk-XXXXXXX] for service [https://casserver.com/cas/oauth2.0/callbackAuthorize?client_id=webservice] and principal [iduser]>

2022-02-06 18:43:18,719 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <{"who":"iduser","what":"ST-5-eAKwsc-4Yc-94WBpZH6tJsoKOJk-XXXXXXX for https://casserver.com/cas/oauth2.0/callbackAuthorize?client_id=webservice","action":"SERVICE_TICKET_CREATED","application":"CAS","when":"Sun Feb 06 18:43:18 CET 2022","clientIpAddress":"155.54.193.217","serverIpAddress":"155.54.218.4"}>

022-02-06 18:43:18,777 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Decoded ticket to [ST-5-eAKwsc-4Yc-94WBpZH6tJsoKOJk-XXXXXXX]>

2022-02-06 18:43:18,778 DEBUG [org.apereo.cas.DefaultCentralAuthenticationService] - <Resolved service [AbstractWebApplicationService(id=https://casserver.com/cas/oauth2.0/callbackAuthorize?client_id=webservice&client_name=CasOAuthClient, originalUrl=https://casserver.com/cas/oauth2.0/callbackAuthorize?client_id=webservice&client_name=CasOAuthClient, artifactId=ST-5-eAKwsc-4Yc-94WBpZH6tJsoKOJk-XXXXXXX, principal=null, source=null, loggedOutAlready=false, format=XML, attributes={client_name=[CasOAuthClient], client_id=[webservice]})] from the authentication request with service [AbstractWebApplicationService(id=https://casserver.com/cas/oauth2.0/callbackAuthorize?client_id=webservice, originalUrl=https://casserver.com/cas/oauth2.0/callbackAuthorize?client_id=webservice, artifactId=null, principal=iduser, source=service, loggedOutAlready=false, format=XML, attributes={response_type=[code], redirect_uri=[https://oidc.service], locale=[es], client_name=[Cl@veD, CasOAuthClient], client_id=[webservice]})] linked to service ticket [ST-5-eAKwsc-4Yc-94WBpZH6tJsoKOJk-XXXXXXX]>

2022-02-06 18:43:18,778 ERROR [org.apereo.cas.DefaultCentralAuthenticationService] - <Service ticket [ST-5-eAKwsc-4Yc-94WBpZH6tJsoKOJk-XXXXXXX] with service [https://casserver.com/cas/oauth2.0/callbackAuthorize?client_id=webservice] does not match supplied service [https://casserver.com/cas/oauth2.0/callbackAuthorize?client_id=webservice&client_name=CasOAuthClient]>

2022-02-06 18:43:18,783 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <{"who":"audit:unknown","what":"ST-5-eAKwsc-4Yc-94WBpZH6tJsoKOJk-elephas60 for https://entrada.test.um.es/cas/oauth2.0/callbackAuthorize?client_id=webservice&client_name=CasOAuthClient","action":"SERVICE_TICKET_VALIDATE_FAILED","application":"CAS","when":"Sun Feb 06 18:43:18 CET 2022","clientIpAddress":""X.Y.Z.Z"","serverIpAddress":"X.Y.Z.X"}>

The error seems clear but they are internal calls I don't know how to fix it

I've tried import this commit and it doesn't work. https://github.com/apereo/cas/pull/5166

I have tested version 6.4.x and it works fine.

Any ideas for 6.3.x ?