I am using 5.1.0 not 5.2.2. I had rolledback to 5.1.0 around this time.
The problem still exists in the 5.1.0 code. I resolved by modified the
OidcIdTokenGeneratorService to pull the CLAIM_PREFERRED_USERNAME from the
TGT:
if (!claims.hasClaim(OidcConstants.CLAIM_PREFERRED_USERNAME)) {
String username =
accessTokenId.getGrantingTicket().getAuthentication().getCredentials().get(0).getId();
claims.setClaim(OidcConstants.CLAIM_PREFERRED_USERNAME,
username);
}
vs
if (!claims.hasClaim(OidcConstants.CLAIM_PREFERRED_USERNAME)) {
claims.setClaim(OidcConstants.CLAIM_PREFERRED_USERNAME,
profile.getId());
}
There were some other calls upstream in the
OAuth20AccessTokenEndpointController to get the CLIENT_ID via pac4j. The
CLIENT_ID is also available as a request param. Changed calls similar to:
final String clientId = uProfile.getId();
to
final String clientId = request.getParameter(OAuth20Constants.CLIENT_ID);
On Tuesday, March 6, 2018 at 11:49:12 AM UTC-10, Ryan Rolland wrote:
>
> Greetings,
> I am working with CAS 5.2.2 and trying to authenticate an existing client
> application [Client app is using a UAA server (
> https://github.com/cloudfoundry/uaa)] that supports OIDC.
>
> The call to:
> /cas/oidc/authorize
>
> is succeeding. The problems happen when the client (server side [not
> browser]) tries to call:
>
> cas/oidc/accessToken/
>
> the following parameters are passed with this call:
>
> grant_type=authorization_code
> code=OC-13-INRciVjflpa1elco2HOuIvOSNlTRIRT4fPO
> response_type=id_token
> redirect_uri=https://localhost:1238/login/callback/cas
>
>
> I can debug the CAS 5.2.2 server and see that the call is failing with a
> "Could not locate authenticated profile for this request".
>
> The root cause for this failure is that no profile is being returned from
> the ProfileManager.retrieveAll method. There is neither a profile stored in
> the request or stored in the session. It makes sense that there is no
> profile stored in the session because it is a (client) UAA server side HTTP
> Request that is calling '/cas/oidc/accessToken', i.e. not the browser. Is
> there a mechanism to get at the profile here that I am not seeing? Perhaps
> using the passed in 'code' parameter to lookup the profile from the ticket
> registry?
>
> Thanks in advance for any help troubleshooting this!
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ff906b88-bcfd-4ffb-88fe-be5538b5cd23%40apereo.org.
