[cas-dev] PAC4J OIDC Change have broken Azure

[Colin Wilkinson]

Hi MIsagh Moayyaed,

I have directly sent this to you and appologies if this has already been raised.

Your commit of enhancements to oidc delegated authn to better support OPs like keycloak

has broken azure that I know of but may have broken others OIDC as well.

The issue is with the addition code in added in the class BaseDelegatedClientFactory particular changes in the method getOidcConfigurationForClient

The changes that have caused the issue is where you add the OidcOpMetadataResolver.

In terms of Azure due to fact the tenantId is not added to after the getOidcConfigurationForClient has finished running, when the OidcOpMetadataResolver tries to get the metadata the tenantid is null.

The discovery uri is not valid as the discovery uri for azure is dyanmic in nature as all calls go to microsoft the only difference is the tenantId is injected into the discovery uri.

This should take you directly to the BaseDelegatedClientFactory Diff from the above commit.

Due to there being many diferent ways to fix this issue for now I have only reported it as I am unsure on how you would want it fixed.

Regards,

Colin

--
You received this message because you are subscribed to the Google Groups "CAS Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-dev+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/c09427e0-5b04-4e35-b743-14df8b6b4888n%40apereo.org.

[Misagh Moayyed]

On Thursday, August 10, 2023 at 3:52:17 AM UTC+4 wilc...@gmail.com wrote:

Hi MIsagh Moayyaed,

Hello COlin,

I have directly sent this to you and appologies if this has already been raised.

You have sent this message to the CAS Developer mailing list. It is not sent directly to me, though I happen to read messages every once in a while.

 

Your commit of enhancements to oidc delegated authn to better support OPs like keycloak

has broken azure that I know of but may have broken others OIDC as well.

Please put together and share automated, reproducible repeated test scenarios in isolated environments that demonstrate failures.

--
You received this message because you are subscribed to the Google Groups "CAS Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-dev+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/4ccdc495-928a-4cd3-b205-553816cb0f22n%40apereo.org.

[Colin Wilkinson]

Hi Misagh,

Sorry about that I meant to say I have addressed this to you.

I am not sure there is any way to easily test this and that is due to the fact that the OidcConfiguration in OidcOpMetadataResolver is not externally accessible.

Regards,

Colin

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/CALva2jkPaFGthHQ3ppjXkCcyXRhanRHwaRwGz0d011dBjyLnFQ%40mail.gmail.com.

[Pablo Vidaurri]

Have you worked around this?

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/ef8c28d9-2df2-459b-9b6d-420a82295314n%40apereo.org.

[Colin Wilkinson]

Hi PSVID,

Sorry for the late reply yes I did. Basically you need to recreate the OidcOpMetadataResolver with the updated configuration.

if (client instanceof OidcClient oidcClient) {

val opMetadataResolver = new OidcOpMetadataResolver(oidcClient.getConfiguration());

oidcClient.getConfiguration().setOpMetadataResolver(opMetadataResolver);

if (!opMetadataResolver.isInitialized()) {

try {

opMetadataResolver.reinit();

} catch (final Exception e) {

LOGGER.error("The error of [{}] was thrown while loading metadata for [{}]", e.getMessage(), oidcClient.getName(), e);

}

}

}

Regards,

Colin

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/61d0f405-1d1f-492a-9832-717cd2c7ae9en%40apereo.org.