login with valid service but not getting ticket query parameter on redirect

[Pablo Vidaurri]

I am seeing a problem where after a successful login a redirect is happing back to the service URL but does not have a ticket=ST-xxxx query parameter. This of course means that the service has no ticket to go validate. But if I hit the login page again, i get the ticket on the 2nd try.

1) https://www.xxx.com/cas/login?service=https://myapp.xxx.com/cas/login

2) after login redirects to https://myapp.newco.com/cas/login, with no ticket

3) since no ticket, login to the app fails.

4) I go to https://www.xxx.com/cas/login?service=https://myapp.xxx.com/cas/login again

5) immediately redirects back to https://myapp.xxx.com/cas/login?ticket=ST-xxxx

6) now logged into the app

Why would ticket not be sent the first time?

-psv

[Ray Bon]

Pablo,

What version of Cas is this?

Check your logs. The audit log records the authentication events, including ticket creation.

Ray

On Wed, 2023-08-02 at 14:39 -0700, Pablo Vidaurri wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

[Pablo Vidaurri]

Hi Ray, looks to be a self inflicted issue.

We have a custom login webflow and have injected as view between generateServiceTicket and Redirect action/view states. When I disable this custom step all works fine. I haven't been able to trace my issue but it is my issue.

-psv

[Pablo Vidaurri]

It looks like I'm losing the request scope, or at least the service ticket:

2023-08-08 15:25:26,057 DEBUG [org.apereo.cas.web.flow.GenerateServiceTicketAction] - <Granted service ticket [ST-2-********9u96HVcbf8-https://localhost:8443] and added it to the request scope>

2023-08-08 15:25:26,057 DEBUG [org.apereo.cas.web.flow.MyCustomAction] - <Inside myCustomAction doExecute>
...

2023-08-08 15:25:27,186 DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] - <Located service ticket [null] from the context>

Inside MyCustomAction.java, I can confirm I have a requestScope with ST. My customAction will trigger a redirect to a view. After my view it seems I lose the ST.

Do I need to pass my requestscope or ST along with my form inside my view via an input form parameter?

-psv

[Ray Bon]

Pablo,

There are a number of maps associated with the web flow. 

You can put to one of the maps, if needed. From your action class you can see their contents:

// authn attributes contains encrypted credential

// LOGGER.debug("auth attribs Map: " + WebUtils.getAuthentication(requestContext).getAttributes());

// printMap("attributes Map", requestContext.getAttributes().asMap());

// printMap("conversation Map", requestContext.getConversationScope().asMap());

// printMap("flash Map", requestContext.getFlashScope().asMap());

// printMap("flow scope Map", requestContext.getFlowScope().asMap());

// printMap("request Map", requestContext.getRequestScope().asMap());

// printMap("parameter Map", requestContext.getRequestParameters().asMap());

private void printMap(String identifier, Map<String, Object> mam) {

LOGGER.trace(identifier + ": [" + mam.keySet().size() + "]:");

for (String key : mam.keySet()) {

LOGGER.trace("\t" + key + " : " + mam.get(key));

}

}

Ray

[Pablo Vidaurri]

Thanks Ray, I owe you a case of what ever your vice is by now.

In retrospect it makes sense now. The service ticket was being searched for in the requestScope as the log reflects:

2023-08-08 15:25:26,057 DEBUG [org.apereo.cas.web.flow.GenerateServiceTicketAction] - <Granted service ticket [ST-2-********9u96HVcbf8-https://localhost:8443] and added it to the request scope>

Since I was redirecting the user to a view, this triggered a new request which would lose the request scope including the service ticket.

So, right before I redirect the user to the view, I saved the requestScope object into flowScope, then after action was taken in the view I triggered another action that would put the temp requestScope object from the flowScope back into requestScope and finally removed the temp requestScope object from flowScope.

-psv