CAS 6.x - Bypass Approval Prompt

295 views
Skip to first unread message

Christian Schmidt

unread,
May 22, 2019, 11:11:55 AM5/22/19
to CAS Community

Hi,


I'm currently working on CAS in version 6.1.

I have enabled OIDC and created a service which is working.


The problem I'm having is, that on every login the User gets redirected to an approval/consent screen where he has to allow the service the access.


Accoring to the documentation, a OidcRegisteredService extends the OAuthRegisteredService and the available configuration parameters for the OAuth Service also apply to the OIDC service.

Therefore, I used the parameter "bypassApprovalPrompt" : true


Unfortuantly this didn't work at all.


On further investigation I found the configuration class org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy where I set the key "enabled" to false - this also didn't work.



According to the log, CAS is bypassing the screen:

2019-05-17 16:38:54,041 TRACE [org.apereo.cas.support.oauth.web.views.OAuth20ConsentApprovalViewResolver] - <Bypassing approval prompt for service [OidcRegisteredService(super=OAuthRegisteredService(super=AbstractRegisteredService(serviceId=^http://(onlineservice2|ncvosproxy2-.+)\.company\.de(:[0-9]+)?(/.*)?, name=Onlineservice, theme=null, informationUrl=null, privacyUrl=null, responseType=null, id=2010, expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, notifyWhenDeleted=false, expirationDate=null), proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, proxyTicketExpirationPolicy=null, serviceTicketExpirationPolicy=null, singleSignOnParticipationPolicy=null, evaluationOrder=0, usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@87297e2, logoutType=BACK_CHANNEL, requiredHandlers=[], environments=[], attributeReleasePolicy=ReturnAllAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, principalAttributesRepository=DefaultPrincipalAttributesRepository(), consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=false, excludedAttributes=null, includeOnlyAttributes=null), authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=false, authorizedToReleaseAuthenticationAttributes=true, principalIdAttribute=null, order=0)), multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[], failureMode=UNDEFINED, principalAttributeNameTrigger=null, principalAttributeValueToMatch=null, bypassEnabled=false), logo=./images/onlineservice.svg, logoutUrl=null, accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[], permitUndefined=true), requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), publicKey=null, properties={}, contacts=[]), clientSecret=xxxxxxxxxxxxxx, clientId=onlineservice, bypassApprovalPrompt=true, generateRefreshToken=false, jwtAccessToken=false, supportedGrantTypes=[], supportedResponseTypes=[]), jwks=null, jwksAuthenticationMethod=client_secret_basic, signIdToken=true, encryptIdToken=true, idTokenEncryptionAlg=null, idTokenSigningAlg=null, idTokenEncryptionEncoding=null, sectorIdentifierUri=null, applicationType=web, subjectType=public, dynamicallyRegistered=false, implicit=false, dynamicRegistrationDateTime=null, scopes=[])]: [null]>
2019-05-17 16:38:54,042 TRACE [org.apereo.cas.support.oauth.web.views.OAuth20ConsentApprovalViewResolver] - <callbackUrl: [https://sso2.company.de:8443/cas/oidc/authorize?response_type=code&scope=openid&client_id=onlineservice&state=Ev9kuSd-M6eB7inyzc8MimIBP9Q&redirect_uri=http%3A%2F%2Fonlineservice2.company.de%2Fsecure%2Fredirect_uri&nonce=H_n_BDMb3scnes75g-qra5pzKvUL-O1zYs_HlnoM8T8]>


May someone please give me a hint?


Best regards,
Christian

Misagh Moayyed

unread,
May 23, 2019, 3:35:56 PM5/23/19
to cas-...@apereo.org
Hi Christian, Can you indicate the exact version number (RC) and the commit id that you're using in 6.1? 

--Misagh

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a94d635b-4993-4bbf-a8dc-6c0ad534816f%40apereo.org.

Christian Schmidt

unread,
May 27, 2019, 3:29:33 AM5/27/19
to CAS Community, mmoa...@unicon.net
Hi,

thank you for your reply.

I was using CAS 6.1 RC3.
To validate the issue I just tested 6.1 RC4 - and it worked !

For verification I changed back to RC3 and had the same approval site problem again.

RC4 fixed my issue.


Best regards,
Christian



Reply all
Reply to author
Forward
0 new messages