Łukasz, This sounds like the client application is sending the user to CAS with one URL in the service parameter and a different URL when validating the service ticket. There should be log messages describing why the 'State paramerter ...' is output. You may have to turn up the log level. Ray
On Mon, 2019-06-03 at 01:42 -0700, Łukasz Woźniak wrote: We use 5.2.9 version of CAS. And We have problem every day when user try to authenticate. They get "Unautorized access" and in log we get CSRF error: State parameter is different from the one sent in authentication request . Session expired or possible threat of cross - site request forgery Problem appear only first time every day. Any idea why ? W dniu piątek, 29 marca 2019 21:59:24 UTC+1 użytkownik richard.frovarp napisał: Need to add CAS 5.3.9. I have Google and Twitter working through delegated auth. So I have that much working. On 3/29/19 3:57 PM, Richard Frovarp wrote: > Does anyone have an example config or documentation on how to delegate > to Azure AD? This is operating at the very edge of my understanding, and > I'm having some difficulty. Not entirely sure what configs are required, > or exactly what to set in Azure. > > Right now I have: > > cas.authn.pac4j.oidc[0].type=AZURE > cas.authn.pac4j.oidc[0].id=<client id> > cas.authn.pac4j.oidc[0].secret=<client-secret> > cas.authn.pac4j.oidc[0].clientName=AZURE > cas.authn.pac4j.oidc[0].discoveryUri=https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration > cas.authn.pac4j.oidc[0].scope=openid email profile phone > cas.authn.pac4j.oidc[0].azureTenantId=<directory-id> > > > No idea if those scopes are right. > > Getting: > > 2019-03-29 15:53:33,486 ERROR > [org.springframework.boot.web.support.ErrorPageFilter] - <Forwarding to > error page from request [/clientredirect] due to exception > [java.lang.ClassCastException: java.util.Collections$SingletonList > cannot be cast to java.lang.String]> > org.pac4j.core.exception.TechnicalException: > java.lang.ClassCastException: java.util.Collections$SingletonList cannot > be cast to java.lang.String > at > org.pac4j.oidc.redirect.OidcRedirectActionBuilder.buildAuthenticationRequestUrl(OidcRedirectActionBuilder.java:113) > ~[pac4j-oidc-3.6.1.jar:?] > at > org.pac4j.oidc.redirect.OidcRedirectActionBuilder.redirect(OidcRedirectActionBuilder.java:78) > ~[pac4j-oidc-3.6.1.jar:?] > at > org.pac4j.core.client.IndirectClient.getRedirectAction(IndirectClient.java:109) > ~[pac4j-core-3.6.1.jar:?] > > Caused by: java.lang.ClassCastException: > java.util.Collections$SingletonList cannot be cast to java.lang.String > at > com.nimbusds.oauth2.sdk.AuthorizationRequest.parse(AuthorizationRequest.java:972) > ~[oauth2-oidc-sdk-5.62.jar:5.62] > at > com.nimbusds.openid.connect.sdk.AuthenticationRequest.parse(AuthenticationRequest.java:1374) > ~[oauth2-oidc-sdk-5.62.jar:5.62] > at > com.nimbusds.openid.connect.sdk.AuthenticationRequest.parse(AuthenticationRequest.java:1340) > ~[oauth2-oidc-sdk-5.62.jar:5.62] > at > org.pac4j.oidc.redirect.OidcRedirectActionBuilder.buildAuthenticationRequestUrl(OidcRedirectActionBuilder.java:110) > ~[pac4j-oidc-3.6.1.jar:?] > ... 98 more > > Any suggestions would be helpful, because I'm having difficulty pulling > off the right search to find the right set of documentation at MS. > > Thanks, > > Richard > -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected] -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a3caf08adbfef434adbb99061e5de5fbe323446c.camel%40uvic.ca.
