Hi,
I'm currently working on CAS in version 6.1.
I have enabled OIDC and created a service which is working.
The problem I'm having is, that on every login the User gets redirected to
an approval/consent screen where he has to allow the service the access.
Accoring to the documentation, a OidcRegisteredService extends the
OAuthRegisteredService and the available configuration parameters for the
OAuth Service also apply to the OIDC service.
Therefore, I used the parameter "bypassApprovalPrompt" : true
Unfortuantly this didn't work at all.
On further investigation I found the configuration class
org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy where
I set the key "enabled" to false - this also didn't work.
According to the log, CAS is bypassing the screen:
2019-05-17 16:38:54,041 TRACE
[org.apereo.cas.support.oauth.web.views.OAuth20ConsentApprovalViewResolver] -
<Bypassing approval prompt for service
[OidcRegisteredService(super=OAuthRegisteredService(super=AbstractRegisteredService(serviceId=^http://(onlineservice2|ncvosproxy2-.+)\.company\.de(:[0-9]+)?(/.*)?,
name=Onlineservice, theme=null, informationUrl=null, privacyUrl=null,
responseType=null, id=2010,
expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false,
notifyWhenDeleted=false, expirationDate=null),
proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1,
proxyTicketExpirationPolicy=null, serviceTicketExpirationPolicy=null,
singleSignOnParticipationPolicy=null, evaluationOrder=0,
usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@87297e2,
logoutType=BACK_CHANNEL, requiredHandlers=[], environments=[],
attributeReleasePolicy=ReturnAllAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
principalAttributesRepository=DefaultPrincipalAttributesRepository(),
consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=false,
excludedAttributes=null, includeOnlyAttributes=null),
authorizedToReleaseCredentialPassword=false,
authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=false,
authorizedToReleaseAuthenticationAttributes=true, principalIdAttribute=null,
order=0)),
multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[],
failureMode=UNDEFINED, principalAttributeNameTrigger=null,
principalAttributeValueToMatch=null, bypassEnabled=false),
logo=./images/onlineservice.svg, logoutUrl=null,
accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, enabled=true,
ssoEnabled=true, unauthorizedRedirectUrl=null,
delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[],
permitUndefined=true), requireAllAttributes=true, requiredAttributes={},
rejectedAttributes={}, caseInsensitive=false), publicKey=null, properties={},
contacts=[]), clientSecret=xxxxxxxxxxxxxx, clientId=onlineservice,
bypassApprovalPrompt=true, generateRefreshToken=false, jwtAccessToken=false,
supportedGrantTypes=[], supportedResponseTypes=[]), jwks=null,
jwksAuthenticationMethod=client_secret_basic, signIdToken=true,
encryptIdToken=true, idTokenEncryptionAlg=null, idTokenSigningAlg=null,
idTokenEncryptionEncoding=null, sectorIdentifierUri=null, applicationType=web,
subjectType=public, dynamicallyRegistered=false, implicit=false,
dynamicRegistrationDateTime=null, scopes=[])]: [null]>
2019-05-17 16:38:54,042 TRACE
[org.apereo.cas.support.oauth.web.views.OAuth20ConsentApprovalViewResolver] -
<callbackUrl:
[https://sso2.company.de:8443/cas/oidc/authorize?response_type=code&scope=openid&client_id=onlineservice&state=Ev9kuSd-M6eB7inyzc8MimIBP9Q&redirect_uri=http%3A%2F%2Fonlineservice2.company.de%2Fsecure%2Fredirect_uri&nonce=H_n_BDMb3scnes75g-qra5pzKvUL-O1zYs_HlnoM8T8]>
May someone please give me a hint?
Best regards,
Christian
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a94d635b-4993-4bbf-a8dc-6c0ad534816f%40apereo.org.
