Problem is on connection Cas <> Azure/OpenId. State Parameter for CSRF is null sometime when request come from Azure to Cas. I check and state is set on the Session.
W dniu poniedziałek, 3 czerwca 2019 18:06:00 UTC+2 użytkownik rbon napisał: > > Łukasz, This sounds like the client application is sending the user to CAS > with one URL in the service parameter and a different URL when validating > the service ticket. There should be log messages describing why the 'State > paramerter ...' is output. You may have to turn up the log level. Ray > On Mon, 2019-06-03 at 01:42 -0700, Łukasz Woźniak wrote: > > We use 5.2.9 version of CAS. And We have problem every day when user try > to authenticate. They get "Unautorized access" and in log we get CSRF > error: > > State > > parameter > > is > > different > > from > > the one sent > > in > > authentication request > > . > > Session > > expired > > or > > possible threat of cross > > - > > site request forgery > > > Problem appear only first time every day. Any idea why ? > > > W dniu piątek, 29 marca 2019 21:59:24 UTC+1 użytkownik richard.frovarp > napisał: > > Need to add CAS 5.3.9. I have Google and Twitter working through > delegated auth. So I have that much working. > > On 3/29/19 3:57 PM, Richard Frovarp wrote: > > Does anyone have an example config or documentation on how to delegate > > to Azure AD? This is operating at the very edge of my understanding, and > > I'm having some difficulty. Not entirely sure what configs are required, > > or exactly what to set in Azure. > > > > Right now I have: > > > > cas.authn.pac4j.oidc[0].type=AZURE > > cas.authn.pac4j.oidc[0].id=<client id> > > cas.authn.pac4j.oidc[0].secret=<client-secret> > > cas.authn.pac4j.oidc[0].clientName=AZURE > > cas.authn.pac4j.oidc[0].discoveryUri= > https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration > > > cas.authn.pac4j.oidc[0].scope=openid email profile phone > > cas.authn.pac4j.oidc[0].azureTenantId=<directory-id> > > > > > > No idea if those scopes are right. > > > > Getting: > > > > 2019-03-29 15:53:33,486 ERROR > > [org.springframework.boot.web.support.ErrorPageFilter] - <Forwarding to > > error page from request [/clientredirect] due to exception > > [java.lang.ClassCastException: java.util.Collections$SingletonList > > cannot be cast to java.lang.String]> > > org.pac4j.core.exception.TechnicalException: > > java.lang.ClassCastException: java.util.Collections$SingletonList cannot > > be cast to java.lang.String > > at > > > org.pac4j.oidc.redirect.OidcRedirectActionBuilder.buildAuthenticationRequestUrl(OidcRedirectActionBuilder.java:113) > > > > ~[pac4j-oidc-3.6.1.jar:?] > > at > > > org.pac4j.oidc.redirect.OidcRedirectActionBuilder.redirect(OidcRedirectActionBuilder.java:78) > > > > ~[pac4j-oidc-3.6.1.jar:?] > > at > > > org.pac4j.core.client.IndirectClient.getRedirectAction(IndirectClient.java:109) > > > > ~[pac4j-core-3.6.1.jar:?] > > > > Caused by: java.lang.ClassCastException: > > java.util.Collections$SingletonList cannot be cast to java.lang.String > > at > > > com.nimbusds.oauth2.sdk.AuthorizationRequest.parse(AuthorizationRequest.java:972) > > > > ~[oauth2-oidc-sdk-5.62.jar:5.62] > > at > > > com.nimbusds.openid.connect.sdk.AuthenticationRequest.parse(AuthenticationRequest.java:1374) > > > > ~[oauth2-oidc-sdk-5.62.jar:5.62] > > at > > > com.nimbusds.openid.connect.sdk.AuthenticationRequest.parse(AuthenticationRequest.java:1340) > > > > ~[oauth2-oidc-sdk-5.62.jar:5.62] > > at > > > org.pac4j.oidc.redirect.OidcRedirectActionBuilder.buildAuthenticationRequestUrl(OidcRedirectActionBuilder.java:110) > > > > ~[pac4j-oidc-3.6.1.jar:?] > > ... 98 more > > > > Any suggestions would be helpful, because I'm having difficulty pulling > > off the right search to find the right set of documentation at MS. > > > > Thanks, > > > > Richard > > > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] <javascript:> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/fc48c3cb-123f-4ae9-8faa-abbfaf0d08de%40apereo.org.
