Hi Ray, they bookmark the login page because they are directly redirected there when they call our service. I assume that most users don't notice that they were redirected to a different server to log in.
I'd prefer to improve the way CAS handles this situation so that it doesn't result in an Exception shown the user. In our case, using cas.view.default-redirect-url as default in OAuth20CallbackAuthorizeEndpointController seems to be a reasonable solution. But maybe there is a better approach that I'm missing. Frederik Ray Bon schrieb am Montag, 14. September 2020 um 17:44:55 UTC+2: > Frederik, > > This sounds like something that could be fixed with user education. Why > would a user bookmark a log in page? > > cas.view.default-redirect-url will only be triggered if no service is > provided. > > Ray > > On Mon, 2020-09-14 at 05:16 -0700, 'Frederik B.' via CAS Community wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > We use CAS as an OIDC Provider for our service. After upgrading from 6.0 > to 6.2 we received reports from some of our users that they weren't able to > login anymore but were presented an error page with a > org.apereo.cas.ticket.InvalidTicketException. > We found that the users reporting the problem use a bookmark of the CAS > Login URL > https://www.example.com/cas/login?service=https%3A%2F%2Fwww.example.com%2Fcas%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3D123%26redirect_uri%3Dhttps%253A%252F%252Fwww.example.com%252Fmyservice%252Flogin%252Foauth2%252Fcode%252Fcas-oidc%26response_type%3Dcode%26client_name%3DCasOAuthClient > > to reach our service. This causes the > OAuth20CallbackAuthorizeEndpointController to redirect the request to the > default value 'context.getFullRequestURL()' because the actual service URL > was not previously stored by the SavedRequestHandler. Since > context.getFullRequestURL() returns '/oauth2.0/callbackAuthorize' with the > current Service Ticket as URL parameter, the redirect results in an > InvalidTicketException because the Service Ticket was already consumed by > the previous request. > In CAS 6.0 bookmarking /cas/login worked for us because the default > behavior was a redirect to '/' which is configured to redirect to our > service on our side. > I understand, that redirecting to '/' may not be generally useful behavior > but the current default of 'context.getFullRequestURL()' seems worse, since > it immediately fails. Wouldn't the 'cas.view.default-redirect-url' (if set) > or 'cas/login' be better defaults? > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 <(250)%20721-8831> | CLE 019 | [email protected] > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e84231b2-3c3b-458a-8169-dc047488c4f2n%40apereo.org.
