pac4j-oidc 3.6.1 via CAS 5.3.9: SingletonList cannot be cast to String

226 views
Skip to first unread message

dra...@gmail.com

unread,
Mar 27, 2019, 12:52:42 PM3/27/19
to Pac4j users mailing list
Hello,

I'm trying to implement OIDC via pac4j in CAS 5.3.9. This pulls in pac4j-oidc 6.3.1 explicitly. I have a more detailed post on the cas-user mailing list, but as I suspect this may be a bug I also wanted to ask here. Is this broken, or is CAS perhaps driving pac4j-oidc incorrectly here? Is there maybe a value that's supposed to get set that I'm omitting out of ignorance?

In short, when CAS goes to build the auth request URI to redirect the authenticating user, it throws a 500 with the following:
org.pac4j.core.exception.TechnicalException: java.lang.ClassCastException: java.util.Collections$SingletonList cannot be cast to java.lang.String at org.pac4j.oidc.redirect.OidcRedirectActionBuilder.buildAuthenticationRequestUrl(OidcRedirectActionBuilder.java:113) at org.pac4j.oidc.redirect.OidcRedirectActionBuilder.redirect(OidcRedirectActionBuilder.java:78) at org.pac4j.core.client.IndirectClient.getRedirectAction(IndirectClient.java:109) at org.apereo.cas.web.DelegatedClientNavigationController.redirectToProvider(DelegatedClientNavigationController.java:83)

The full stack trace is much longer than that, but everything south of this point is in CAS or Jetty. Let me know if you need that anyway. The method in question here can be seen here: https://github.com/pac4j/pac4j/blob/77077a7/pac4j-oidc/src/main/java/org/pac4j/oidc/redirect/OidcRedirectActionBuilder.java#L106-L116 - this commit was part of PR1219. Looks like anything more recent than 3.4.0 has it.

I realize this part is in CAS' domain, but it might be obvious if I am missing something that should be obvious. Here's the values I'm feeding to CAS to feed to pac4j.
cas.authn.pac4j.cookie.crypto.encryption.key=REDACTED
cas.authn.pac4j.cookie.crypto.signing.key=REDACTED
cas.authn.pac4j.name=DelegatePAC4J
cas.authn.pac4j.oidc[0].autoRedirect=false
cas.authn.pac4j.oidc[0].azureTenantId=REDACTED.onmicrosoft.com
cas.authn.pac4j.oidc[0].clientName=REDACTED
cas.authn.pac4j.oidc[0].discoveryUri=https://login.microsoftonline.com/REDACTED.onmicrosoft.com/v2.0/.well-known/openid-configuration
cas.authn.pac4j.oidc[0].id=REDACTED
cas.authn.pac4j.oidc[0].logoutUrl=https://login.microsoftonline.com/REDACTED.onmicrosoft.com}/oauth2/v2.0/logout
cas.authn.pac4j.oidc[0].maxClockSkew=600
cas.authn.pac4j.oidc[0].preferredJwsAlgorithm=RS256
cas.authn.pac4j.oidc[0].principalAttributeId=oid
cas.authn.pac4j.oidc[0].responseMode=form_post
cas.authn.pac4j.oidc[0].responseType=code
cas.authn.pac4j.oidc[0].scope=openid profile
cas.authn.pac4j.oidc[0].secret=REDACTED
cas.authn.pac4j.oidc[0].type=AZURE
cas.authn.pac4j.oidc[0].useNonce=true
cas.authn.pac4j.oidc[0].usePathBasedCallbackUrl=true

dra...@gmail.com

unread,
Mar 27, 2019, 12:57:03 PM3/27/19
to Pac4j users mailing list
OK, that stack trace segment had it's line endings eaten. Let's try again:

dra...@gmail.com

unread,
Mar 27, 2019, 2:14:04 PM3/27/19
to Pac4j users mailing list
So, forcing CAS to bundle pac4j 3.4.0 (the release prior to this suspect commit) solved my issue.

PR1219, more specifically commit 77077a7 broke this.

Jérôme LELEU

unread,
Mar 28, 2019, 3:40:21 AM3/28/19
to dra...@gmail.com, Pac4j users mailing list
Hi,

This change was tested and works in pac4j applications. The issue in CAS is that there are conflicts regarding the Nimbus versions libraries.

Add this to make it work:

<dependency>
    <groupId>com.nimbusds</groupId>
    <artifactId>nimbus-jose-jwt</artifactId>
    <version>6.0.2</version>
</dependency>
<dependency>
    <groupId>com.nimbusds</groupId>
    <artifactId>oauth2-oidc-sdk</artifactId>
    <version>6.5</version>
</dependency>

Thanks.
Best regards,
Jérôme



--
You received this message because you are subscribed to the Google Groups "Pac4j users mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

dra...@gmail.com

unread,
Mar 28, 2019, 4:29:21 PM3/28/19
to Pac4j users mailing list
Hello Jerome,

This does work, when I bust out the crowbar and force Maven not to package the old versions. If I don't... it doesn't work, presumably because the old versions get found on the classpath first?

Check this out:
jetty@344ccb748c7d:/tmp/jetty-0.0.0.0-8443-cas.war-_cas-any-1666180786609199766.dir$ find . -type f -name "nimbus-jose-jwt-*.jar" -or -name "oauth2-oidc-sdk-*.jar" | sort
./webapp/WEB-INF/lib/nimbus-jose-jwt-5.10.jar
./webapp/WEB-INF/lib/nimbus-jose-jwt-6.0.2.jar
./webapp/WEB-INF/lib/oauth2-oidc-sdk-5.62.jar
./webapp/WEB-INF/lib/oauth2-oidc-sdk-6.5.jar

I've tried to explicitly exclude the dependency from getting pulled in from cas-server-support-pac4j-webflow but it doesn't seem to work:
<dependencies>
  <dependency>
    <groupId>org.apereo.cas</groupId>
    <artifactId>cas-server-webapp</artifactId>
    <version>${cas.version}</version>
    <type>war</type>
    <scope>runtime</scope>
  </dependency>
  <dependency>
    <groupId>org.apereo.cas</groupId>
    <artifactId>cas-server-support-pac4j-webflow</artifactId>
    <version>${cas.version}</version>
    <exclusions>
      <exclusion>

        <groupId>com.nimbusds</groupId>
        <artifactId>nimbus-jose-jwt</artifactId>

      </exclusion>
      <exclusion>

        <groupId>com.nimbusds</groupId>
        <artifactId>oauth2-oidc-sdk</artifactId>

      </exclusion>
    </exclusions>
  </dependency>
  <dependency>
    <groupId>org.apereo.cas</groupId>
    <artifactId>cas-server-support-json-service-registry</artifactId>
    <version>${cas.version}</version>
  </dependency>
  <dependency>
    <groupId>org.apereo.cas</groupId>
    <artifactId>cas-server-support-redis-ticket-registry</artifactId>
    <version>${cas.version}</version>

  </dependency>
  <dependency>
    <groupId>com.nimbusds</groupId>
    <artifactId>nimbus-jose-jwt</artifactId>
    <version>6.0.2</version>
  </dependency>
  <dependency>
    <groupId>com.nimbusds</groupId>
    <artifactId>oauth2-oidc-sdk</artifactId>
    <version>6.5</version>
  </dependency>
</dependencies>

I have to go even further and specify them in packagingExcludes for the war plugin. Is there a better way to do this?
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j...@googlegroups.com.

Jérôme LELEU

unread,
Mar 29, 2019, 2:52:23 AM3/29/19
to dra...@gmail.com, Pac4j users mailing list
Hi,

Yes, it's exactly the problem: old versions are bundled in the WAR and are taken into account before the new pulled ones.
This is the way I did it also. The best way would be to fix the problem in the CAS server itself ;-)
Thanks.
Best regards,
Jérôme


To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages