OIDC Delegated regression on 7.3 => Delegated client identifier [] is undefined in request URL

88 views
Skip to first unread message

Louis Chanouha

unread,
Feb 19, 2026, 7:27:33 AM (7 days ago) Feb 19
to CAS Community
Hello,
I'm currently upgrading my CAS from 7.2 to 7.3.
I have an regression on my PAC4j delegated OIDC.

Did anyone experienced this issue or is aware of changes on 7.3 ? I did'nt see linked changes on CAS 7.3 RC's changelog

Thanks :)

2026-02-19 11:16:56,739 DEBUG [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationRedirectAction] - <Redirecting client [FranceConnect] based on identifier [TST-1-****************TBp-pP6-7f3c2b761bc8]>
2026-02-19 11:16:56,740 DEBUG [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationRedirectAction] - <Redirecting to [https://fcp-low.integ01.dev-franceconnect.fr/api/v2/authorize?scope=openid%20given_name%20family_name%20birthdate%20birthplace%20birthcountry%20preferred_username&acr_values=eidas1&claims=%7B%22id_token%22%3A%7B%22amr%22%3A%7B%22essential%22%3Atrue%7D%7D%7D&response_type=code&redirect_uri=https%3A%2F%2Fcas-dev.fqdn.fr%2Fcas%2Flogin%2FFranceConnect&state=12345&nonce=6789] via client [FranceConnect]>
// LOGIN //
2026-02-19 11:17:08,596 DEBUG [org.apereo.cas.web.flow.controller.DefaultDelegatedAuthenticationNavigationController] - <Received response from client [FranceConnect]; Redirecting to [https://cas-dev.fqdn.fr/cas/login?code=oBJ74fVZvkezMQSdu5L7NNVUoJwhgcwzZlOOryIEMXg&state=999&iss=https%3A%2F%2Ffcp-low.integ01.dev-franceconnect.fr%2Fapi%2Fv2&client_name=FranceConnect]>
2026-02-19 11:17:08,667 DEBUG [org.apereo.cas.web.flow.CasFlowHandlerMapping] - <Mapped to [FlowHandlerMapping.DefaultFlowHandler@24f51b6c]>
2026-02-19 11:17:08,672 DEBUG [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] - <Located delegated client identifier []>
2026-02-19 11:17:08,672 INFO [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] - <Delegated client identifier [] is undefined in request URL [https://cas-dev.fqdn.fr/cas/login?code=oBJ74fVZvkezMQSdu5L7NNVUoJwhgcwzZlOOryIEMXg&state=999&iss=https%3A%2F%2Ffcp-low.integ01.dev-franceconnect.fr%2Fapi%2Fv2&client_name=FranceConnect]>
2026-02-19 11:17:08,673 DEBUG [org.apereo.cas.authentication.principal.DefaultDelegatedAuthenticationCredentialExtractor] - <Fetching credentials from delegated client [OidcClient(super=IndirectClient(super=BaseClient(name=FranceConnect, authorizationGenerators=[], credentialsExtractor=org.pac4j.oidc.credentials.extractor.OidcCredentialsExtractor@6fae47b2, authenticator=org.pac4j.oidc.credentials.authenticator.OidcAuthenticator@419b23f3, profileCreator=InitializableObject(initialized=false, maxAttempts=3, nbAttempts=0, lastAttempt=null, minTimeIntervalBetweenAttemptsInMilliseconds=5000), customProperties={autoRedirectType=NONE, cssClass=franceconnect, displayName=Se connecter avec France Connect}, profileFactoryWhenNotAuthenticated=null, multiProfile=false, saveProfileInSession=true, config=null), callbackUrl=https://cas-dev.fqdn.fr/cas/login, urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@61f7cde6, callbackUrlResolver=org.pac4j.core.http.callback.PathParameterCallbackUrlResolver@42780018, ajaxRequestResolver=org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@f94a4b5, redirectionActionBuilder=org.pac4j.oidc.redirect.OidcRedirectionActionBuilder@71eb34d1, logoutProcessor=org.pac4j.oidc.logout.processor.OidcLogoutProcessor@2e2c5ff7, logoutActionBuilder=org.pac4j.oidc.logout.OidcLogoutActionBuilder@2cd6e2ea, checkAuthenticationAttempt=true), configuration=OidcConfiguration(clientId=377f9c3fd633bb7f85362d6b97aea642101916336709c051c3d0816fd83e4e0e, discoveryURI=https://fcp-low.integ01.dev-franceconnect.fr/api/v2/.well-known/openid-configuration, scope=openid,given_name,family_name,birthdate,birthplace,birthcountry,preferred_username, customParams={claims={"id_token": {"amr": {"essential": true } } }, acr_values=eidas1}, clientAuthenticationMethod=null, supportedClientAuthenticationMethods=null, privateKeyJWTClientAuthnMethodConfig=null, useNonce=true, disablePkce=true, pkceMethod=null, preferredJwsAlgorithm=ES256, maxAge=null, maxClockSkew=5, resourceRetriever=org.pac4j.oidc.config.OidcConfiguration$OidcResourceRetriever@6cd4ac9, responseType=code, responseMode=null, logoutUrl=null, connectTimeout=5000, readTimeout=5000, withState=true, mappedClaims={}, stateGenerator=org.pac4j.core.util.generator.RandomValueGenerator@2ea8bb7d, codeVerifierGenerator=org.pac4j.core.util.generator.RandomValueGenerator@62378ab8, valueRetriever=org.pac4j.oidc.util.SessionStoreValueRetriever@79edf5a6, expireSessionWithToken=false, tokenExpirationAdvance=0, allowUnsignedIdTokens=false, includeAccessTokenClaimsInProfile=false, sslSocketFactory=sun.security.ssl.SSLSocketFactoryImpl@188d92f9, callUserInfoEndpoint=true, hostnameVerifier=org.apache.hc.client5.http.ssl.DefaultHostnameVerifier@151a6350, opMetadataResolver=InitializableObject(initialized=true, maxAttempts=3, nbAttempts=1, lastAttempt=1771499816004, minTimeIntervalBetweenAttemptsInMilliseconds=5000), logoutValidation=true))]>
2026-02-19 11:17:08,676 DEBUG [org.pac4j.oidc.credentials.extractor.OidcCredentialsExtractor] - <Authentication response successful>
2026-02-19 11:17:08,780 DEBUG [org.pac4j.core.resource.SpringResourceLoader] - <lastModified: 0 / newLastModified: 0 -> hasChanged: false>
2026-02-19 11:17:08,781 DEBUG [org.pac4j.oidc.client.OidcClient] - <no credentials and profile returned -> remember the authentication attempt>
2026-02-19 11:17:08,781 DEBUG [org.pac4j.oidc.client.OidcClient] - <save authentication attempt in session>
2026-02-19 11:17:08,781 DEBUG [org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - <Putting ticket [TST-844ad5a8-c34c-46ef-9dc0-dd2242cfa147] in registry.>
2026-02-19 11:17:08,784 WARN [org.apereo.cas.util.function.FunctionUtils] - <State cannot be determined>
org.pac4j.oidc.exceptions.OidcMissingSessionStateException: State cannot be determined
        at org.pac4j.oidc.credentials.extractor.OidcCredentialsExtractor.lambda$extract$0(OidcCredentialsExtractor.java:141)
        at java.base/java.util.Optional.orElseThrow(Optional.java:403)
        at org.pac4j.oidc.credentials.extractor.OidcCredentialsExtractor.extract(OidcCredentialsExtractor.java:141)
        at org.pac4j.core.client.BaseClient.getCredentials(BaseClient.java:80)
        at org.apereo.cas.authentication.principal.DefaultDelegatedAuthenticationCredentialExtractor.lambda$getCredentialsFromDelegatedClient$2(DefaultDelegatedAuthenticationCredentialExtractor.java:50)
        at org.apereo.cas.util.function.FunctionUtils.lambda$doAndHandle$12(FunctionUtils.java:425)
        at org.apereo.cas.authentication.principal.DefaultDelegatedAuthenticationCredentialExtractor.getCredentialsFromDelegatedClient(DefaultDelegatedAuthenticationCredentialExtractor.java:54)
        at org.apereo.cas.authentication.principal.DefaultDelegatedAuthenticationCredentialExtractor.extract(DefaultDelegatedAuthenticationCredentialExtractor.java:30)
        at org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.lambda$populateContextWithClientCredential$6(DelegatedClientAuthenticationAction.java:255)
        at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
        at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:179)
        at java.base/java.util.AbstractList$RandomAccessSpliterator.tryAdvance(AbstractList.java:708)
        at java.base/java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:129)
        at java.base/java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:527)
        at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:513)
        at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
        at java.base/java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:150)
        at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at java.base/java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:647)


Actual working flow on 7.2


2026-02-19 11:09:55,610 DEBUG [org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - <Putting ticket [TST-dbf06ff0-3d72-46e3-9f71-4d848732222b] in registry.>
2026-02-19 11:09:55,610 DEBUG [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] - <Located delegated client identifier [TST-1-****************I1iEQpe-9aae8cc0bfc1]>
2026-02-19 11:09:55,611 DEBUG [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] - <Located delegated authentication client identifier as [TST-1-****************I1iEQpe-9aae8cc0bfc1]>
2026-02-19 11:09:55,611 DEBUG [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] - <Removing delegated client identifier [TST-1-****************I1iEQpe-9aae8cc0bfc1] from registry>
2026-02-19 11:09:55,612 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - 

Louis Chanouha

unread,
Feb 19, 2026, 11:56:03 AM (7 days ago) Feb 19
to CAS Community, Louis Chanouha
Looks like it's broken since 7.3.4, 7.3.3 is fine, I continue looking into code

Louis Chanouha

unread,
Feb 19, 2026, 11:56:03 AM (7 days ago) Feb 19
to CAS Community, Louis Chanouha
I found the commit  which changed pac4j session behaviour:
https://github.com/apereo/cas/commit/2fbee582903a60dcfd5522c95f50ab2e728d1312

Le jeudi 19 février 2026 à 13:27:33 UTC+1, Louis Chanouha a écrit :
Reply all
Reply to author
Forward
0 new messages