[cas-dev] CAS 6.1.x-RC OAuth2/OIDC ConsentApprovalViewResolver problem

[Thomas Kotzian]

Hi,

I have found a minor problem when using OAuth2 authentication and having 
OIDC support dependency in the resulting overlay project. The service 
approval view gets shown after successful authentication even when 
bypassApprovalView is set to true. - It worked perfectly in 5.3.x and in 
earlier CAS 6.x snapshots.

I have debugged the problem but I don't know what is the best way to fix 
the issue.

working case when only OAuth2 is configured and used (no OIDC dependency 
included):
in CasOAuthConfiguration the consentApprovalViewResolver gets configured 
with a OAuth20ConsentApprovalViewResolver which returns a "new 
ModelAndView" when resolve get called.

in the non-working case a OidcConsentApprovalViewResolver gets injected 
into CasOAuthConfiguration.consentApprovalViewResolver - when resolve is 
called it returns a ModelAndView containing a view and properties - 
resulting in showing the service approval view. - I am only using OAuth2 
and am therefore in a "OAuth2 context"; OIDC semantics shouldn't even be 
interferring.

It seems the following code from OidcConsentApprovalViewResolver should be 
fixed:

    protected boolean isConsentApprovalBypassed(final J2EContext context, 
final OAuthRegisteredService service) {
        val url = context.getFullRequestURL();
        val prompts = 
OidcAuthorizationRequestSupport.getOidcPromptFromAuthorizationRequest(url);
*        if (prompts.contains(OidcConstants.PROMPT_CONSENT) || 
url.startsWith("h")) {*
            return false;
        }
        return super.isConsentApprovalBypassed(context, service);
    }

to something like

    protected boolean isConsentApprovalBypassed(final J2EContext context, 
final OAuthRegisteredService service) {
*        if (service instanceof OidcRegisteredService) {*
            val url = context.getFullRequestURL();
            val prompts = 
OidcAuthorizationRequestSupport.getOidcPromptFromAuthorizationRequest(url);
           * if (prompts.contains(OidcConstants.PROMPT_CONSENT) && 
url.startsWith("h")) {*
                return false;
            }
*        }*
        return super.isConsentApprovalBypassed(context, service);
    }

What would be the best way to resolve the issue?

Thanks,
Thomas

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-dev+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-dev/.