Did you figure this out? I am having a very similar failure trying to get 
the profile on a call to cas/oidc/accessToken/ from either request or 
session. I believe it is due to the request being generated from the web 
applications back end and not the browser, i.e. no cookie information.

ProfileManager<U>.retrieveAll(boolean) line: 58 
ProfileManager<U>.get(boolean) line: 35 
OidcAccessTokenEndpointController(OAuth20AccessTokenEndpointController).verifyAccessTokenRequest(HttpServletRequest,
 
HttpServletResponse) line: 207 
OidcAccessTokenEndpointController(OAuth20AccessTokenEndpointController).handleRequest(HttpServletRequest,
 
HttpServletResponse) line: 103 


On Thursday, December 15, 2016 at 5:16:20 AM UTC-10, Todd Pratt wrote:
>
> Hi,
>
> I appreciate all the help.  That check succeeds, see the log statements 
> below.  It fails on isRequestAuthenticated in OAuth20AuthorizeController
>
> https://github.com/apereo/cas/blob/master/support/cas-server-support-oauth/src/main/java/org/apereo/cas/support/oauth/web/OAuth20AuthorizeController.java#L85
>
> https://github.com/apereo/cas/blob/master/support/cas-server-support-oauth/src/main/java/org/apereo/cas/support/oauth/web/OAuth20AuthorizeController.java#L108
>   
>
> There isn't a profile in the session or request attributes.  I printed 
> both of those out and couldn't find one for Pac4jConstants.USER_PROFILES 
> ("pac4jUserProfile")
>
>
> 2016-12-15 09:53:52,309 DEBUG 
> [org.apereo.cas.support.oauth.validator.OAuthValidator] - <Check registered 
> service: 
> org.apereo.cas.services.OidcRegisteredService@126030a4[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@7f17e342[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseProxyGrantingTicket=false,allowedAttributes=[]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@27dc818c[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=<null>,proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@5761f513,logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@342a60c3[multifactorAuthenticationProviders=[],failureMode=CLOSED,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,clientId=fb3s86QV9QKl,approvalPrompt=false,generateRefreshToken=false,jsonFormat=true,jwks=<null>,signIdToken=false]>
>
> 2016-12-15 09:53:52,310 DEBUG 
> [org.apereo.cas.support.oauth.validator.OAuthValidator] - <Found: 
> org.apereo.cas.services.OidcRegisteredService@126030a4[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@7f17e342[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseProxyGrantingTicket=false,allowedAttributes=[]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@27dc818c[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=<null>,proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@5761f513,logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@342a60c3[multifactorAuthenticationProviders=[],failureMode=CLOSED,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,clientId=fb3s86QV9QKl,approvalPrompt=false,generateRefreshToken=false,jsonFormat=true,jwks=<null>,signIdToken=false]
>  
> vs redirectUri: http://localhost:8080/oauth_client>
>
> 2016-12-15 09:53:52,313 ERROR 
> [org.apereo.cas.support.oauth.web.OAuth20AuthorizeController] - <Authorize 
> request verification fails>
>
>
> On Thursday, December 15, 2016 at 3:27:05 AM UTC-5, leleuj wrote:
>>
>> Hi,
>>
>> Here is the check: 
>> https://github.com/apereo/cas/blob/master/support/cas-server-support-oauth/src/main/java/org/apereo/cas/support/oauth/validator/OAuth20Validator.java#L78
>>
>> Can you debug it to see what's going on?
>>
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>> 2016-12-14 17:13 GMT+01:00 Todd Pratt <pratt...@gmail.com>:
>>
>>> Hi Jérôme,
>>>
>>> I've tried several values for serviceId and can't find one that will 
>>> work I get the same error each time.  I need it to redirect back to 
>>> http://localhost:8080/oauth_client.  Could you please tell me what I'm 
>>> doing wrong with the following 
>>>
>>> {
>>>   "@class" : "org.apereo.cas.services.OidcRegisteredService",
>>>   "clientId": "fb3s86QV9QKl",
>>>   "clientSecret": "VgWn3ysT24gZo66K",
>>>   "serviceId" : "^http://localhost:8080/oauth_client";,
>>>   "signIdToken": "false",
>>>   "name": "OIDC",
>>>   "id": 1000,
>>>   "evaluationOrder": 100
>>> }
>>>
>>>
>>>
>>> Thank you,
>>> Todd
>>>
>>>
>>> On Wednesday, December 14, 2016 at 3:04:12 AM UTC-5, leleuj wrote:
>>>>
>>>> Hi,
>>>>
>>>> Sure. This error happens when you have not properly configured the 
>>>> serviceId of the Oidc service, it must match the redirectUri.
>>>>
>>>> See the documentation: 
>>>> https://apereo.github.io/cas/5.0.x/installation/OIDC-Authentication.html
>>>>
>>>>
>>>> {
>>>>   "@class" : "org.apereo.cas.services.OidcRegisteredService",
>>>>   "clientId": "client",
>>>>   "clientSecret": "secret",
>>>>   "serviceId" : "^<https://the-redirect-uri>",
>>>>   "signIdToken": true,
>>>>   "name": "OIDC",
>>>>   "id": 1000,
>>>>   "evaluationOrder": 100,
>>>>   "jwks": "..."}
>>>>
>>>>
>>>>
>>>> Thanks.
>>>> Best regards,
>>>> Jérôme
>>>>
>>>>
>>>> 2016-12-13 21:12 GMT+01:00 Misagh Moayyed <mmoa...@unicon.net>:
>>>>
>>>>> Feel free to submit an issue. Jérôme might have a few ideas. It would 
>>>>> also be helpful if you could pack your client into a shape that can be 
>>>>> tested and run by someone else. If you do [and you should], reference its 
>>>>> location in the issue.
>>>>>
>>>>>  
>>>>>
>>>>> --Misagh
>>>>>
>>>>>  
>>>>>
>>>>> *From:* cas-...@apereo.org [mailto:cas-...@apereo.org] *On Behalf Of 
>>>>> *Todd 
>>>>> Pratt
>>>>> *Sent:* Tuesday, December 13, 2016 11:21 AM
>>>>> *To:* CAS Community <cas-...@apereo.org>
>>>>> *Subject:* [cas-user] Re: Authorize request verification fails with 
>>>>> OAuth and CAS 5.0.x
>>>>>
>>>>>  
>>>>>
>>>>> The authorization url that is generated is 
>>>>>
>>>>>  
>>>>>
>>>>>
>>>>> https://cas.mydomain.com:8443/cas/oauth2.0/authorize/?client_id=fb3s86QV9QKl&redirect_uri=http://localhost:8080/oauth_client&response_type=code&scope=openid
>>>>>
>>>>>  
>>>>>
>>>>>
>>>>> On Monday, December 12, 2016 at 4:51:17 PM UTC-5, Todd Pratt wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>>  
>>>>>
>>>>> I'm trying to setup OpenID/OAuth2 on CAS 5.0.x using the war overlay 
>>>>> template.  I included three dependencies, 
>>>>> cas-server-support-oidc, cas-server-support-ldap 
>>>>> and cas-server-support-json-service-registry.  I built the management 
>>>>> webapp using that overlay template and I successfully logged into the 
>>>>> management app using the ldap authentication I setup.  Now I'm trying to 
>>>>> setup a service provider for OpenID/OAuth2 and I keep getting an error 
>>>>> page 
>>>>> with my test application that says "Application Not Authorized to use 
>>>>> CAS" 
>>>>> instead of redirecting to the login page.  I've used this test client 
>>>>> with 
>>>>> other servers and it seems to work.  I enabled debugging and looking 
>>>>> through the code it looks it found my provider I defined but then it 
>>>>> fails 
>>>>> at OAuth20AuthorizeController.isRequestAuthenticated() returns false.  
>>>>> The 
>>>>> method isRequestAuthenticated() seems to look for a profile in the 
>>>>> session 
>>>>> which isn't there.  Is there something I'm missing?  Below is the portion 
>>>>> of the log.
>>>>>
>>>>>  
>>>>>
>>>>>  
>>>>>
>>>>> 2016-12-12 13:09:40,226 DEBUG 
>>>>> [org.apereo.cas.support.oauth.validator.OAuthValidator] - <client_id: 
>>>>> fb3s86QV9QKl>
>>>>>
>>>>> 2016-12-12 13:09:40,227 DEBUG 
>>>>> [org.apereo.cas.support.oauth.validator.OAuthValidator] - <redirect_uri: 
>>>>> http://localhost:8080/oauth_client>
>>>>>
>>>>> 2016-12-12 13:09:40,227 DEBUG 
>>>>> [org.apereo.cas.support.oauth.validator.OAuthValidator] - <response_type: 
>>>>> code>
>>>>>
>>>>> 2016-12-12 13:09:40,227 DEBUG 
>>>>> [org.apereo.cas.support.oauth.web.OAuth20AuthorizeController] - <Response 
>>>>> type: code>
>>>>>
>>>>> 2016-12-12 13:09:40,228 DEBUG 
>>>>> [org.apereo.cas.support.oauth.validator.OAuthValidator] - <Check 
>>>>> registered 
>>>>> service: 
>>>>> org.apereo.cas.services.OidcRegisteredService@66d09fb6[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@2027a3cc[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseProxyGrantingTicket=false],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@f9e67c0[enabled=true,ssoEnabled=true,requireAllAttributes=false,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=<null>,proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@2e202d9f,logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@6dd174aa[multifactorAuthenticationProviders=[],failureMode=CLOSED,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,clientId=fb3s86QV9QKl,approvalPrompt=false,generateRefreshToken=false,jsonFormat=false,jwks=<null>,signIdToken=false
>>>>> ]>
>>>>>
>>>>> 2016-12-12 13:09:40,228 DEBUG 
>>>>> [org.apereo.cas.support.oauth.validator.OAuthValidator] - <Found: 
>>>>> org.apereo.cas.services.OidcRegisteredService@66d09fb6[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@2027a3cc[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseProxyGrantingTicket=false],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@f9e67c0[enabled=true,ssoEnabled=true,requireAllAttributes=false,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=<null>,proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@2e202d9f,logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@6dd174aa[multifactorAuthenticationProviders=[],failureMode=CLOSED,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,clientId=fb3s86QV9QKl,approvalPrompt=false,generateRefreshToken=false,jsonFormat=false,jwks=<null>,signIdToken=false]
>>>>>  
>>>>> vs redirectUri: http://localhost:8080/oauth_client>
>>>>>
>>>>> 2016-12-12 13:09:40,228 ERROR 
>>>>> [org.apereo.cas.support.oauth.web.OAuth20AuthorizeController] - 
>>>>> <Authorize 
>>>>> request verification fails>
>>>>>
>>>>>  
>>>>>
>>>>>  
>>>>>
>>>>> Thanks in advance for any help.
>>>>>
>>>>> -- 
>>>>> - CAS gitter chatroom: https://gitter.im/apereo/cas
>>>>> - CAS mailing list guidelines: 
>>>>> https://apereo.github.io/cas/Mailing-Lists.html
>>>>> - CAS documentation website: https://apereo.github.io/cas
>>>>> - CAS project website: https://github.com/apereo/cas
>>>>> --- 
>>>>> You received this message because you are subscribed to the Google 
>>>>> Groups "CAS Community" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send 
>>>>> an email to cas-user+u...@apereo.org.
>>>>> To view this discussion on the web visit 
>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/3ed93ca6-db04-4734-a86a-4d6938f4576f%40apereo.org
>>>>>  
>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/3ed93ca6-db04-4734-a86a-4d6938f4576f%40apereo.org?utm_medium=email&utm_source=footer>
>>>>> .
>>>>>
>>>>> -- 
>>>>> - CAS gitter chatroom: https://gitter.im/apereo/cas
>>>>> - CAS mailing list guidelines: 
>>>>> https://apereo.github.io/cas/Mailing-Lists.html
>>>>> - CAS documentation website: https://apereo.github.io/cas
>>>>> - CAS project website: https://github.com/apereo/cas
>>>>> --- 
>>>>> You received this message because you are subscribed to the Google 
>>>>> Groups "CAS Community" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send 
>>>>> an email to cas-user+u...@apereo.org.
>>>>> To view this discussion on the web visit 
>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/026601d2557d%24488f0090%24d9ad01b0%24%40unicon.net
>>>>>  
>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/026601d2557d%24488f0090%24d9ad01b0%24%40unicon.net?utm_medium=email&utm_source=footer>
>>>>> .
>>>>>
>>>>
>>>> -- 
>>> - CAS gitter chatroom: https://gitter.im/apereo/cas
>>> - CAS mailing list guidelines: 
>>> https://apereo.github.io/cas/Mailing-Lists.html
>>> - CAS documentation website: https://apereo.github.io/cas
>>> - CAS project website: https://github.com/apereo/cas
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/78773adf-f671-4347-8b1e-e36aa8ffe78d%40apereo.org
>>>  
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/78773adf-f671-4347-8b1e-e36aa8ffe78d%40apereo.org?utm_medium=email&utm_source=footer>
>>> .
>>>
>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b4313f21-604b-4b1f-a81a-98fa42e5f7dd%40apereo.org.

Reply via email to