Here my logs for normal OIDC flow: 2019-02-08 11:44:30,863 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Attempting to resolve authentication event using resolver [RankedAuthenticationProviderWebflowEventResolver]>
2019-02-08 11:44:30,863 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Attempting to resolve authentication event using resolver [RankedAuthenticationProviderWebflowEventResolver]> 2019-02-08 11:44:30,863 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Resolved single event [success] via [org.apereo.cas.web.flow.resolver.impl.RankedAuthenticationProviderWebflowEventResolver] for this context> 2019-02-08 11:44:30,863 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Resolved single event [success] via [org.apereo.cas.web.flow.resolver.impl.RankedAuthenticationProviderWebflowEventResolver] for this context> 2019-02-08 11:44:30,864 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: [event=success,timestamp=Fri Feb 08 11:44:30 CET 2019,source=RankedAuthenticationProviderWebflowEventResolver] ACTION: AUTHENTICATION_EVENT_TRIGGERED APPLICATION: CAS WHEN: Fri Feb 08 11:44:30 CET 2019 CLIENT IP ADDRESS: ip SERVER IP ADDRESS: ip ============================================================= > 2019-02-08 11:44:30,864 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: [event=success,timestamp=Fri Feb 08 11:44:30 CET 2019,source=RankedAuthenticationProviderWebflowEventResolver] ACTION: AUTHENTICATION_EVENT_TRIGGERED APPLICATION: CAS WHEN: Fri Feb 08 11:44:30 CET 2019 CLIENT IP ADDRESS: ip SERVER IP ADDRESS: ip ============================================================= > 2019-02-08 11:44:30,867 DEBUG [org.apereo.cas.web.flow.login.InitializeLoginAction] - <Initialized login sequence> 2019-02-08 11:44:30,867 DEBUG [org.apereo.cas.web.flow.login.InitializeLoginAction] - <Initialized login sequence> 2019-02-08 11:44:30,982 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [classpath:custom_messages_fr_FR] - neither plain properties nor XML> 2019-02-08 11:44:30,983 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [classpath:messages_fr_FR] - neither plain properties nor XML> 2019-02-08 11:44:30,984 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [classpath:custom_messages_fr] - neither plain properties nor XML> 2019-02-08 11:44:30,984 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <Loading properties [messages_fr.properties] with encoding 'UTF-8'> 2019-02-08 11:46:26,280 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Attempting to resolve authentication event using resolver [ServiceTicketRequestWebflowEventResolver]> 2019-02-08 11:46:26,280 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Attempting to resolve authentication event using resolver [ServiceTicketRequestWebflowEventResolver]> 2019-02-08 11:46:26,280 DEBUG [org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver] - <Located ticket-granting ticket [null] from the request context> 2019-02-08 11:46:26,280 DEBUG [org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver] - <Located ticket-granting ticket [null] from the request context> 2019-02-08 11:46:26,281 DEBUG [org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver] - <Located service [AbstractWebApplicationService(id=https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId&redirect_uri=service.redirect_uri&response_type=code&client_name=CasOAuthClient, originalUrl=https://id p-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId&redirect_uri=service.redirect_uri&response_type=code&client_name=CasO AuthClient, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})] from the request context> 2019-02-08 11:46:26,281 DEBUG [org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver] - <Located service [AbstractWebApplicationService(id=https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientName&redirect_uri=service.redirect_uri&response_type=code&client_name=CasOAuthClient, originalUrl=https://id oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientID&redirect_uri=service.redirect_uri&response_type=code&client_name=CasO AuthClient, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})] from the request context> 2019-02-08 11:46:26,281 DEBUG [org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver] - <Provided value for [renew] request parameter is [null]> 2019-02-08 11:46:26,281 DEBUG [org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver] - <Provided value for [renew] request parameter is [null]> 2019-02-08 11:46:26,281 DEBUG [org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver] - <Request is not eligible to be issued service tickets just yet> 2019-02-08 11:46:26,281 DEBUG [org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver] - <Request is not eligible to be issued service tickets just yet> 2019-02-08 11:46:26,282 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Attempting to resolve authentication event using resolver [InitialAuthenticationAttemptWebflowEventResolver]> 2019-02-08 11:46:26,282 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Attempting to resolve authentication event using resolver [InitialAuthenticationAttemptWebflowEventResolver]> 2019-02-08 11:46:26,319 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] - <Examining credential [UsernamePasswordCredential(username=userPseudo)] eligibility for authentication handler [AcceptUsersAuthenticationHandler]> 2019-02-08 11:46:26,319 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] - <Credential [UsernamePasswordCredential(username=userPseudo)] eligibility is [AcceptUsersAuthenticationHandler] for authentication handler [true]> 2019-02-08 11:46:26,322 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] - <Transforming credential username via [org.apereo.cas.util.transforms.ChainingPrincipalNameTransformer]> 2019-02-08 11:46:26,322 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] - <Attempting to encode credential password via [org.springframework.security.crypto.password.NoOpPasswordEncoder] for [userPseudo]> 2019-02-08 11:46:26,322 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] - <Attempting authentication internally for transformed credential [UsernamePasswordCredential(username=userPseudo)]> 2019-02-08 11:46:26,350 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: userPseudo WHAT: Supplied credentials: [UsernamePasswordCredential(username=userPseudo)] ACTION: AUTHENTICATION_SUCCESS APPLICATION: CAS WHEN: Fri Feb 08 11:46:26 CET 2019 CLIENT IP ADDRESS: ip SERVER IP ADDRESS: ip ============================================================= > 2019-02-08 11:46:26,350 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: userPseudo WHAT: Supplied credentials: [UsernamePasswordCredential(username=userPseudo)] ACTION: AUTHENTICATION_SUCCESS APPLICATION: CAS WHEN: Fri Feb 08 11:46:26 CET 2019 CLIENT IP ADDRESS: ip SERVER IP ADDRESS: ip ============================================================= > 2019-02-08 11:46:26,355 DEBUG [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] - <Locating service [AbstractWebApplicationService(id=https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId&redirect_uri=service.redirect_uri&response_type=code&client_name=CasOAuthClient, originalUrl=https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId&redirect_uri=service.redirect_uri&response_type=code&client_name=CasOAuthClient, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})] in service registry to determine authentication policy> 2019-02-08 11:46:26,355 DEBUG [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] - <Locating authentication event in the request context...> 2019-02-08 11:46:26,355 DEBUG [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] - <Locating authentication event in the request context...> 2019-02-08 11:46:26,355 DEBUG [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] - <Enforcing access strategy policies for registered service [AbstractRegisteredService(serviceId=https://idp-oidc.fr/oauth2.0/callbackAuthorize.*, name=RegexRegisteredService, theme=null, informationUrl=null, privacyUrl=null, responseType=null, id=*******, description=OAuth Authentication Callback Request URL, expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, notifyWhenDeleted=false, expirationDate=null), proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, evaluationOrder=0, usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@87297e2, logoutType=BACK_CHANNEL, requiredHandlers=[], attributeReleasePolicy=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, principalAttributesRepository=DefaultPrincipalAttributesRepository(), consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true, excludedAttributes=null, includeOnlyAttributes=null), authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=true, authorizedToReleaseAuthenticationAttributes=false, principalIdAttribute=null), multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[], failureMode=NOT_SET, principalAttributeNameTrigger=null, principalAttributeValueToMatch=null, bypassEnabled=false), logo=null, logoutUrl=null, accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[]), requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), publicKey=null, properties={}, contacts=[])] and principal [SimplePrincipal(id=userPseudo, attributes={})]> 2019-02-08 11:46:26,363 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: userPseudo WHAT: [result=Service Access Granted,service=https://idp-oidc..,principal=SimplePrincipal(id=userPseudo, attributes={}),requiredAttributes={}] ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED APPLICATION: CAS WHEN: Fri Feb 08 11:46:26 CET 2019 CLIENT IP ADDRESS: ip SERVER IP ADDRESS: ip ============================================================= > 2019-02-08 11:46:26,529 DEBUG [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] - <Resolving candidate authentication event for service [AbstractWebApplicationService(id=https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId&redirect_uri=service.redirect_uri&response_type=code&client_name=CasOAuthClient, originalUrl=https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId&redirect_uri=service.redirect_uri&response_type=code&client_name=CasOAuthClient, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})] using [OidcAuthenticationContextWebflowEventResolver]> 2019-02-08 11:46:26,529 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Attempting to resolve authentication event using resolver [OidcAuthenticationContextWebflowEventResolver]> 2019-02-08 11:46:26,529 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Attempting to resolve authentication event using resolver [OidcAuthenticationContextWebflowEventResolver]> 2019-02-08 11:46:26,532 DEBUG [org.apereo.cas.oidc.web.flow.OidcAuthenticationContextWebflowEventResolver] - <No ACR provided in the authentication request> 2019-02-08 11:46:26,533 DEBUG [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] - <No candidate authentication events were resolved for service [AbstractWebApplicationService(id=https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId&redirect_uri=service.redirect_uri&response_type=code&client_name=CasOAuthClient, originalUrl=https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId&redirect_uri=service.redirect_uri&response_type=code&client_name=CasOAuthClient, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})]> 2019-02-08 11:46:26,533 DEBUG [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] - <No candidate authentication events were resolved for service [AbstractWebApplicationService(id=https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId&redirect_uri=service.redirect_uri&response_type=code&client_name=CasOAuthClient, originalUrl=https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId&redirect_uri=service.redirect_uri&response_type=code&client_name=CasOAuthClient, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})]> 2019-02-08 11:46:26,533 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Resolved single event [success] via [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] for this context> 2019-02-08 11:46:26,533 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Resolved single event [success] via [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] for this context> 2019-02-08 11:46:26,533 DEBUG [org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] - <Finalizing authentication transactions and issuing ticket-granting ticket> 2019-02-08 11:46:26,533 DEBUG [org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] - <Finalizing authentication transactions and issuing ticket-granting ticket> 2019-02-08 11:46:26,547 DEBUG [org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] - <Finalizing authentication event...> 2019-02-08 11:46:26,547 DEBUG [org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] - <Finalizing authentication event...> 2019-02-08 11:46:26,548 DEBUG [org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] - <Creating ticket-granting ticket, potentially based on [null]> 2019-02-08 11:46:26,548 DEBUG [org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] - <Creating ticket-granting ticket, potentially based on [null]> 2019-02-08 11:46:26,548 DEBUG [org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] - <Attempting to issue a new ticket-granting ticket...> 2019-02-08 11:46:26,548 DEBUG [org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] - <Attempting to issue a new ticket-granting ticket...> 2019-02-08 11:46:26,558 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: userPseudo WHAT: [result=Service Access Granted,service=https://idp-oidc...,principal=SimplePrincipal(id=userPseudo, attributes={}),requiredAttributes={}] ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED APPLICATION: CAS WHEN: Fri Feb 08 11:46:26 CET 2019 CLIENT IP ADDRESS: ip SERVER IP ADDRESS: ip ============================================================= > 2019-02-08 11:46:26,594 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: userPseudo WHAT: TGT-1-*******************************************************************************************st-oidc.fr ACTION: TICKET_GRANTING_TICKET_CREATED APPLICATION: CAS WHEN: Fri Feb 08 11:46:26 CET 2019 CLIENT IP ADDRESS: ip SERVER IP ADDRESS: ip ============================================================= > 2019-02-08 11:46:26,595 DEBUG [org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] - <Calculating authentication warning messages...> 2019-02-08 11:46:26,597 DEBUG [org.apereo.cas.web.flow.DefaultSingleSignOnParticipationStrategy] - <Located [https://idp-oidc.fr/oauth2.0/callbackAuthorize.*] in registry. Service access to participate in SSO is set to [true]> 2019-02-08 11:46:26,597 DEBUG [org.apereo.cas.web.flow.login.SendTicketGrantingTicketAction] - <Setting ticket-granting cookie for current session linked to [TGT-1-*******************************************************************************************st-oidc.fr].> 2019-02-08 11:46:26,609 DEBUG [org.apereo.cas.web.flow.GenerateServiceTicketAction] - <Service asking for service ticket is [AbstractWebApplicationService(id=https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId&redirect_uri=service.redirect_uri&response_type=code&client_name=CasOAuthClient, originalUrl=https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId&redirect_uri=service.redirect_uri&response_type=code&client_name=CasOAuthClient, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})]> 2019-02-08 11:46:26,609 DEBUG [org.apereo.cas.web.flow.GenerateServiceTicketAction] - <Service asking for service ticket is [AbstractWebApplicationService(id=https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId&redirect_uri=service.redirect_uri&response_type=code&client_name=CasOAuthClient, originalUrl=https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId&redirect_uri=service.redirect_uri&response_type=code&client_name=CasOAuthClient, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})]> 2019-02-08 11:46:26,609 DEBUG [org.apereo.cas.web.flow.GenerateServiceTicketAction] - <Ticket-granting ticket found in the context is [TGT-1-*******************************************************************************************st-oidc.fr]> 2019-02-08 11:46:26,621 DEBUG [org.apereo.cas.web.flow.GenerateServiceTicketAction] - <Registered service asking for service ticket is [OidcRegisteredService(super=OAuthRegisteredService(super=AbstractRegisteredService(serviceId=^service.redirect_uri, name=service.clientName, theme=null, informationUrl=null, privacyUrl=null, responseType=null, id=*****, description=null, expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, notifyWhenDeleted=false, expirationDate=null), proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, evaluationOrder=0, usernameAttributeProvider=PrincipalAttributeRegisteredServiceUsernameProvider(usernameAttribute=*****), logoutType=BACK_CHANNEL, requiredHandlers=[], attributeReleasePolicy=ChainingAttributeReleasePolicy(policies=[BaseOidcScopeAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, principalAttributesRepository=DefaultPrincipalAttributesRepository(), consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true, excludedAttributes=null, includeOnlyAttributes=null), authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=false, authorizedToReleaseAuthenticationAttributes=true, principalIdAttribute=null), allowedAttributes=[name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, updated_at], scopeName=profile)]), multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[mfa-duo], failureMode=NONE, principalAttributeNameTrigger=null, principalAttributeValueToMatch=null, bypassEnabled=false), logo=null, logoutUrl=null, accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[]), requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), publicKey=null, properties={}, contacts=[]), clientSecret=service.secret, clientId=service.clientId, bypassApprovalPrompt=false, generateRefreshToken=true, jsonFormat=true, supportedGrantTypes=[], supportedResponseTypes=[]), jwks=null, signIdToken=true, encryptIdToken=false, idTokenEncryptionAlg=null, idTokenEncryptionEncoding=null, sectorIdentifierUri=null, subjectType=public, dynamicallyRegistered=false, implicit=false, dynamicRegistrationDateTime=null, scopes=[profile])]> 2019-02-08 11:46:26,622 DEBUG [org.apereo.cas.web.flow.GenerateServiceTicketAction] - <Built the final authentication result [DefaultAuthenticationResult(credentialProvided=true, authentication=org.apereo.cas.authentication.DefaultAuthentication@fb5a4f06, service=AbstractWebApplicationService(id=https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.cientId&redirect_uri=service.redirect_uri&response_type=code&client_name=CasOAuthClient, originalUrl=https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId&redirect_uri=service.redirect_uri&response_type=code&client_name=CasOAuthClient, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={}))] to grant service ticket to [AbstractWebApplicationService(id=https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId&redirect_uri=service.redirect_uri&response_type=code&client_name=CasOAuthClient, originalUrl=https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId&redirect_uri=service.redirect_uri&response_type=code&client_name=CasOAuthClient, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})]> 2019-02-08 11:46:26,625 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: userPseudo WHAT: [result=Service Access Granted,service=service.redirect_uri...,requiredAttributes={}] ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED APPLICATION: CAS WHEN: Fri Feb 08 11:46:26 CET 2019 CLIENT IP ADDRESS: ip SERVER IP ADDRESS: ip ============================================================= > 2019-02-08 11:46:26,660 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: userPseudo WHAT: ST-1-*****idp-oidc.fr for https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId&redirect_uri=service.redirect_uri ... ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Fri Feb 08 11:46:26 CET 2019 CLIENT IP ADDRESS: ip SERVER IP ADDRESS: ip ============================================================= 2019-02-08 11:46:26,660 DEBUG [org.apereo.cas.web.flow.GenerateServiceTicketAction] - <Granted service ticket [ST-1-*****idp-oidc.fr] and added it to the request scope> 2019-02-08 11:46:26,661 DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] - <Located service [AbstractWebApplicationService(id=https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId&redirect_uri=service.redirect_uri%3A%2Foauthredirect&response_type=code&client_name=CasOAuthClient, originalUrl=https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId&redirect_uri=service.redirect_uri&response_type=code&client_name=CasOAuthClient, artifactId=null, principal=userPseudo, source=service, loggedOutAlready=false, format=XML, attributes={})] from the context> 2019-02-08 11:46:26,661 DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] - <Located authentication [org.apereo.cas.authentication.DefaultAuthentication@b488a386] from the context> 2019-02-08 11:46:26,662 DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] - <Located service ticket [ST-1-*****idp-oidc.fr] from the context> 2019-02-08 11:46:26,662 DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] - <Located service response builder [org.apereo.cas.authentication.principal.WebApplicationServiceResponseBuilder@2a31b369] for [AbstractWebApplicationService(id=https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId&redirect_uri=service.redirect_uri&response_type=code&client_name=CasOAuthClient, originalUrl=https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId&redirect_uri=service.redirect_uri&response_type=code&client_name=CasOAuthClient, artifactId=null, principal=userPseudo, source=service, loggedOutAlready=false, format=XML, attributes={})]> 2019-02-08 11:46:26,702 DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] - <Built response [org.apereo.cas.authentication.principal.DefaultResponse@36e645e1] for [AbstractWebApplicationService(id=https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId&redirect_uri=service.redirect_uri&response_type=code&client_name=CasOAuthClient, originalUrl=https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId&redirect_uri=service.redirect_uri&response_type=code&client_name=CasOAuthClient, artifactId=null, principal=userPseudo, source=service, loggedOutAlready=false, format=XML, attributes={})]> 2019-02-08 11:46:26,703 DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] - <Signaling flow to redirect to service [AbstractWebApplicationService(id=https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId&redirect_uri=service.redirect_uri&response_type=code&client_name=CasOAuthClient, originalUrl=https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId&redirect_uri=service.redirect_uri&response_type=code&client_name=CasOAuthClient, artifactId=null, principal=userPseudo, source=service, loggedOutAlready=false, format=XML, attributes={})] via event [redirect]> 2019-02-08 11:46:27,055 DEBUG [org.jasig.cas.client.validation.Cas30ServiceTicketValidator] - <Placing URL parameters in map.> 2019-02-08 11:46:27,055 DEBUG [org.jasig.cas.client.validation.Cas30ServiceTicketValidator] - <Calling template URL attribute map.> 2019-02-08 11:46:27,055 DEBUG [org.jasig.cas.client.validation.Cas30ServiceTicketValidator] - <Loading custom parameters from configuration.> 2019-02-08 11:46:27,056 DEBUG [org.jasig.cas.client.validation.Cas30ServiceTicketValidator] - <Constructing validation url: https://idp-oidc.fr/p3/serviceValidate?ticket=ST-1-***idp-oidc.fr&service=https%3A%2F%2Fidp-oidc.fr%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3Dservice.clientId%26redirect_uri%3Dservice.redirect_uri%26response_type%3Dcode%26client_name%3DCasOAuthClient > 2019-02-08 11:46:27,056 DEBUG [org.jasig.cas.client.validation.Cas30ServiceTicketValidator] - <Retrieving response from server.> 2019-02-08 11:46:27,227 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: [result=Service Access Granted,service=service.redirect_uri,principal=SimplePrincipal(id=userPseudo, attributes={}),requiredAttributes={}] ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED APPLICATION: CAS WHEN: Fri Feb 08 11:46:27 CET 2019 CLIENT IP ADDRESS: ip SERVER IP ADDRESS: ip ============================================================= 2019-02-08 11:46:27,241 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: userPseudo WHAT: ST-****idp-oidc.fr ACTION: SERVICE_TICKET_VALIDATED APPLICATION: CAS WHEN: Fri Feb 08 11:46:27 CET 2019 CLIENT IP ADDRESS: ip SERVER IP ADDRESS: ip ============================================================= > 2019-02-08 11:46:27,246 DEBUG [org.apereo.cas.web.AbstractServiceValidateController] - <Locating the primary authentication associated with this service request [AbstractWebApplicationService(id=service.redirect_uri, originalUrl=service.redirect_uri, artifactId=ST-1-*****idp-oidc.fr, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})]> 2019-02-08 11:46:27,246 DEBUG [org.apereo.cas.web.AbstractServiceValidateController] - <No particular authentication context is required for this request> 2019-02-08 11:46:27,246 DEBUG [org.apereo.cas.web.AbstractServiceValidateController] - <No service credentials specified, and/or the proxy handler [org.apereo.cas.ticket.proxy.support.Cas20ProxyHandler@3bf721e5] cannot handle credentials> 2019-02-08 11:46:27,246 DEBUG [org.apereo.cas.web.AbstractServiceValidateController] - <Successfully validated service ticket [ST-1-****idp-oidc.fr] for service [ https://idp-oidc.fr/oauth2.0/callbackAuthorize?client_id=service.clientId&redirect_uri=service.redirect_uri&response_type=code&client_name=CasOAuthClient ]> 2019-02-08 11:46:27,254 DEBUG [org.apereo.cas.web.view.Cas20ResponseView] - <Prepared CAS response output model with attribute names [[assertion, service, org.springframework.validation.BindingResult.assertion, org.springframework.validation.BindingResult.service, principal, chainedAuthentications, primaryAuthentication, attributes]]> 2019-02-08 11:46:27,255 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Processed principal attributes from the output model to be [[]]> 2019-02-08 11:46:27,255 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <CAS is configured to release protocol-level attributes. Processing...> 2019-02-08 11:46:27,255 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Processed protocol/authentication attributes from the output model to be [[samlAuthenticationStatementAuthMethod, credentialType, isFromNewLogin, authenticationDate, authenticationMethod, successfulAuthenticationHandlers, longTermAuthenticationRequestTokenUsed]]> 2019-02-08 11:46:27,256 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Final collection of attributes for the response are [[samlAuthenticationStatementAuthMethod, credentialType, isFromNewLogin, authenticationDate, authenticationMethod, successfulAuthenticationHandlers, longTermAuthenticationRequestTokenUsed]].> 2019-02-08 11:46:27,256 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Beginning to encode attributes for the response> 2019-02-08 11:46:27,256 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Encoded attributes for the response are [{samlAuthenticationStatementAuthMethod=[urn:oasis:names:tc:SAML:1.0:am:password], credentialType=[UsernamePasswordCredential], isFromNewLogin=[true], authenticationDate=[2019-02-08T11:46:26.544+01:00[Europe/Paris]], authenticationMethod=[AcceptUsersAuthenticationHandler], successfulAuthenticationHandlers=[AcceptUsersAuthenticationHandler], longTermAuthenticationRequestTokenUsed=[false]}]> 2019-02-08 11:46:27,256 DEBUG [org.apereo.cas.web.view.attributes.DefaultCas30ProtocolAttributesRenderer] - <Beginning to format/render attributes for the response> 2019-02-08 11:46:27,286 DEBUG [org.apereo.cas.web.view.attributes.DefaultCas30ProtocolAttributesRenderer] - <Formatted attribute for the response: [<cas:samlAuthenticationStatementAuthMethod>urn:oasis:names:tc:SAML:1.0:am:password</cas:samlAuthenticationStatementAuthMethod>]> 2019-02-08 11:46:27,286 DEBUG [org.apereo.cas.web.view.attributes.DefaultCas30ProtocolAttributesRenderer] - <Formatted attribute for the response: [<cas:credentialType>UsernamePasswordCredential</cas:credentialType>]> 2019-02-08 11:46:27,286 DEBUG [org.apereo.cas.web.view.attributes.DefaultCas30ProtocolAttributesRenderer] - <Formatted attribute for the response: [<cas:isFromNewLogin>true</cas:isFromNewLogin>]> 2019-02-08 11:46:27,286 DEBUG [org.apereo.cas.web.view.attributes.DefaultCas30ProtocolAttributesRenderer] - <Formatted attribute for the response: [<cas:authenticationDate>2019-02-08T11:46:26.544+01:00[Europe/Paris]</cas:authenticationDate>]> 2019-02-08 11:46:27,286 DEBUG [org.apereo.cas.web.view.attributes.DefaultCas30ProtocolAttributesRenderer] - <Formatted attribute for the response: [<cas:authenticationMethod>AcceptUsersAuthenticationHandler</cas:authenticationMethod>]> 2019-02-08 11:46:27,286 DEBUG [org.apereo.cas.web.view.attributes.DefaultCas30ProtocolAttributesRenderer] - <Formatted attribute for the response: [<cas:successfulAuthenticationHandlers>AcceptUsersAuthenticationHandler</cas:successfulAuthenticationHandlers>]> 2019-02-08 11:46:27,286 DEBUG [org.apereo.cas.web.view.attributes.DefaultCas30ProtocolAttributesRenderer] - <Formatted attribute for the response: [<cas:longTermAuthenticationRequestTokenUsed>false</cas:longTermAuthenticationRequestTokenUsed>]> 2019-02-08 11:46:27,310 DEBUG [org.jasig.cas.client.validation.Cas30ServiceTicketValidator] - <Server response: <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>userPseudo</cas:user> <cas:attributes> allUserAttributesAllowed </cas:attributes> </cas:authenticationSuccess> </cas:serviceResponse> > 2019-02-08 11:46:27,391 WARN [org.apereo.cas.oidc.web.controllers.OidcAuthorizeEndpointController] - <Provided scopes [[]] are undefined by OpenID Connect, which requires that scope [openid] MUST be specified, or the behavior is unspecified. CAS MAY allow this request to be processed for now.> 2019-02-08 11:46:27,394 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: [result=Service Access Granted,service=^service.redirect_uri,requiredAttributes={}] ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED APPLICATION: CAS WHEN: Fri Feb 08 11:46:27 CET 2019 CLIENT IP ADDRESS: ip SERVER IP ADDRESS: ip ============================================================= > > 2019-02-08 11:46:27,394 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: [result=Service Access Granted,service=^service.redirect_uri,requiredAttributes={}] ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED APPLICATION: CAS WHEN: Fri Feb 08 11:46:27 CET 2019 CLIENT IP ADDRESS: ip SERVER IP ADDRESS: ip ============================================================= Le mercredi 6 février 2019 08:56:47 UTC+1, kyra1510 a écrit : > > Hy all, > > I apologize for my French English. > > I have a problem when I upgrade my CAS 5.2.x to CAS 5.3.7 with the SAML > delegation. > My Cas 5.3.7 is configure to use the OpenIdConnect authentication but it > is possible to delegate the authentication to an IDP SAML2. > I have no problem with the delegation in CAS 5.2.x > > When I use the OIDC authentication without delegation, the workflow is > correct. > Workflow: > 1 The user enter its password and login in the authentication page > 2 The user is redirect to a consent page > 3 When click on the button "allow", an authorization code is returned > > But when I use the SAML2 delegation, I am not redirect to the consent page: > 1 The user click on the button which redirect to the correct IDP > 2 The user logged on the IDP SAML > 3 After the user is returned to my CAS 5.3.7 and arrived on the page > service?ticket=ST-x > <https://idp-auth.poc-mobilite.test-gar.education.fr/com.worldline.bcmc.gar.openidcpoc.oidcnongar:/oauthredirect?ticket=ST-4-3XKBx3tGziyH-T3nCMxlmedrnycidp-auth.poc-mobilite.test-gar.education.fr>xxxxxxxxxxxxxxxxxxxxxxxxxxx > > and I have a code 302 > > > I found this issue in the github which seems to correspond to my problem > https://github.com/apereo/cas/pull/3664. > It describe the same issue in CAS 5.3.x in the SAML2 protocol before the > bug was fixed. It didn't concern the delegation. > Could it be this problem is related to my issue? > > Thanks for any help. > > Kyra > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ef6e6377-1e7b-4078-bd30-065b775f34e1%40apereo.org.
