Hi Andy, Thanks for looking my problem. I don't believe the problem here concern the OIDC authentication because without delegation everything is working fine. The problem occured when the IDP SAML2 send the response to continue the workflow OIDC.
I add my tomcat logs: [07/Feb/2019:09:32:27 +0100] 10.35.103.12 POST /login?client_name=IDP-ENT-test-dev3 HTTP/1.1 ?client_name=IDP-ENT-test-dev3 302 - 247 [07/Feb/2019:09:32:28 +0100] 10.35.103.12 GET /com.worldline.bcmc.gar.openidcpoc.oidcnongar:/oauthredirect?ticket=ST-2-g39DHh3ccg9ysMHPowqL62jCSJAidp-auth.poc-mobilite.test-gar.education.fr HTTP/1.1 ?ticket=ST-2-g39DHh3ccg9ysMHPowqL62jCSJAidp-auth.poc-mobilite.test-gar.education.fr 404 2343 128 * LOG tomcat about the authentication OIDC without delegation SAML2* [07/Feb/2019:09:02:44 +0100] ip GET /oidc/authorize?response_type=code&client_id=clientId&redirect_uri=service&sco pe=&state=af0ifjsldkj&acr_values=test HTTP/1.1 ?response_type=code&client_id=clientId&redirect_uri=service=&state=af0ifjsldkj&acr_values=test 302 5 451 [07/Feb/2019:09:02:48 +0100] ip GET /login?service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAuthClien t%26client_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode HTTP/1.1 ?service=https %3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAuthClient%26client_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode 200 12090 2211 [07/Feb/2019:09:17:51 +0100] ip POST /login?service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode%26client_name%3DCasOAuthClient HTTP/1.1 ?service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode%26client_name%3DCasOAuthClient 302 - 427 [07/Feb/2019:09:17:53 +0100] ip GET /p3/serviceValidate?ticket=ST-1-xxxxxxxxxxidp-oidc.fr&service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode%26client_name%3DCasOAuthClient HTTP/1.1 ?ticket=ST-1-xxxxxxxxxxidp-oidc.fr&service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode%26client_name%3DCasOAuthClient 200 960 117 [07/Feb/2019:09:17:53 +0100] ip GET /oauth2.0/callbackAuthorize?client_id=clientId&redirect_uri=service&acr_values=test&response_type=code&client_name=CasOAuthClient&ticket=ST-1-xxxxxxxxxxxAidp-oidc.fr HTTP/1.1 ?client_id=clientId&redirect_uri=service&acr_values=test&response_type=code&client_name=CasOAuthClient&ticket=ST-1-xxxxxxxxxxxxxxAidp-oidc.fr 302 - 345 [07/Feb/2019:09:17:54 +0100] 10.35.103.12 GET /oidc/authorize?response_type=code&client_id=clientId&redirect_uri=service&scope=&state=af0ifjsldkj&acr_values=test HTTP/1.1 ?response_type=code&client_id=clientId&redirect_uri=service&scope=&state=af0ifjsldkj&acr_values=test 200 2563 75 *LOG tomcat about the authentication OIDC with delegation SAML2* [07/Feb/2019:09:25:17 +0100] ip GET /oidc/authorize?response_type=code&client_id=clientId&redirect_uri=service&sco pe=&state=af0ifjsldkj&acr_values=test HTTP/1.1 ?response_type=code&client_id=clientId&redirect_uri=service=&state=af0ifjsldkj&acr_values=test 302 5 11 [07/Feb/2019:09:25:18 +0100] ip GET /login?service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAuthClien t%26client_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode HTTP/1.1 ?service=https %3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAuthClient%26client_id%3DclientId%26redirect_uri%3Dservice%26acr_values%3Dtest%26response_type%3Dcode 200 8909 138 [07/Feb/2019:09:30:38 +0100] ip GET /clientredirect?client_name=IDP-SAML2&service=service HTTP/1.1 ?client_name=SAML2&service=service 302 - 393 [07/Feb/2019:09:32:27 +0100] ip POST /login?client_name=IDP-SAML HTTP/1.1 ?client_name=clientId 302 - 247 [07/Feb/2019:09:32:28 +0100] ip GET service?ticket=ST-2-xxxxxxxxxxxxxxxxxxxxxxxxx HTTP/1.1 ?ticket=ST-2-xxxxxxxxxxxxxxxxxxxxxxidp-oidc 404 2343 128 In the OIDC authentication without SAML2, the /p3/serviceValidate is called but not with the delegation SAML2 Thanks for your help Kyra PS: I need to anonymise my logs Le jeudi 7 février 2019 04:01:35 UTC+1, Andy Ng a écrit : > > Hi Kyra, > > After reading your problem and if I am not mistaken, I think your problem > is mostly *not related* to https://github.com/apereo/cas/pull/3664 (I > will reference it as #3664 ), hence studying the fix from #3664 most likely > won't help you. > > In #3664, the problem occurs when using SAML 2 authentication with > attribute > consent, and no additional delegation is involved. > In your case, the problem occurs when using OIDC authentication with OAuth > consent, and there is SAML 2 delegation used. > > As you can see from the color, the triggers for the above 2 issues are > very different, so looking at #3664 are likely not going to give your the > fix you need. > > As for how to find your fix: OIDC authentication have a big revamp from > 5.2.x to 5.3.x especially how the flow works, so I think you should > actually look at what changed in OIDC authentication, that is more likely > to help you find the fix. > > One more thing, if you can also provide the debug log to the group, that > might also help finding out the issue. > > And unfortunately I don't have an SAML 2 delegation setup on my PC, so I > can help debug your problem. Need to see if other in this group can help > you. > > - Andy > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a2029ba6-15b5-496d-bc43-674ed3bdc012%40apereo.org.
