Thanks. I will try building and running locally to test the changes. I do think it would be good to also add support for the clientAuthenticationMethod setting. Right now it looks like the code just picks the first in the list.
Abre On Thu, Sep 17, 2020 at 10:22 AM Jérôme Rautureau <[email protected]> wrote: > see the pr : https://github.com/apereo/cas/pull/4942 > > Le jeu. 17 sept. 2020 à 12:09, Jérôme Rautureau <[email protected]> a > écrit : > >> Hi, >> >> Maybe you can disable PKCE RFC support. >> >> i have successfully patched myself 6.2.x branch : >> >> cas.authn.pac4j.oidc[0].generic.useNonce=true >> cas.authn.pac4j.oidc[0].generic.disable-pkce=true #(default is false) >> >> I have started a pull request on CAS repo in order to provide this >> configuration key. >> >> The issue comes from pac4j 4.0.3 (and Apereo CAS 6.2.1+) version, >> https://www.pac4j.org/docs/release-notes.html >> >> >> >> >> Le mer. 16 sept. 2020 à 14:01, Abre Chase <[email protected]> a >> écrit : >> >>> Hi All - >>> >>> I'm attempting to setup delegation from CAS 6.2.2 to Okta and have run >>> into a problem. >>> >>> The logs show: >>> >>> 2020-09-15 23:55:49,201 DEBUG >>> [org.pac4j.oidc.redirect.OidcRedirectionActionBuilder] - <Authentication >>> request url: >>> https://dev-233489.okta.com/oauth2/v1/authorize?scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%3A8444%2Fcas%2Flogin%2Fokta&state=TST-1-r6SHqooSo3qIITtnkhCDn0aLhoKRl0-R&code_challenge_method=S256&nonce=4NjpcwSH_PxBES2_SXTfeEku6BoDb1jqzsTfxNhsuqc&client_id=0oaz33kps1PVfeERs4x6&code_challenge=dPP8K0ENJEO5BGNv_ML0WarVa7zOLcbZgCJu45Ih5Co >>> > >>> >>> 2020-09-15 23:55:49,640 DEBUG >>> [org.pac4j.oidc.credentials.extractor.OidcExtractor] - <Authentication >>> response successful> >>> >>> 2020-09-15 23:55:50,150 DEBUG >>> [org.pac4j.oidc.credentials.authenticator.OidcAuthenticator] - <Token >>> response: status=400, >>> content={"error":"invalid_request","error_description":"PKCE code verifier >>> is required when the token endpoint authentication method is 'NONE'."} >>> >>> The CAS configuration is: >>> >>> cas.authn.pac4j.oidc[0].generic.type=GENERIC >>> >>> cas.authn.pac4j.oidc[0].generic.discoveryUri= >>> https://dev-233489-admin.okta.com/.well-known/openid-configuration >>> >>> cas.authn.pac4j.oidc[0].generic.maxClockSkew=600 >>> >>> cas.authn.pac4j.oidc[0].generic.scope=openid profile email >>> >>> cas.authn.pac4j.oidc[0].generic.id=*** >>> >>> cas.authn.pac4j.oidc[0].generic.secret=*** >>> >>> cas.authn.pac4j.oidc[0].generic.useNonce=true >>> >>> cas.authn.pac4j.oidc[0].generic.preferredJwsAlgorithm=RS256 >>> >>> Any idea why the authentication type is defaulting to none and not >>> client_secret_basic? I've tried adding both: >>> >>> cas.authn.pac4j.oidc[0].generic.disablePkce=true >>> >>> >>> cas.authn.pac4j.oidc[0].generic.clientAuthenticationMethod=client_secret_basic >>> >>> But no luck. >>> >>> Thanks for any advice. I've been looking at the code and pac4j source >>> to try to figure out what is going on here but not having much luck. >>> >>> Abre Chase >>> >>> >>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/72aad569-9c8f-4005-8487-69e7ddfbf1c5n%40apereo.org >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/72aad569-9c8f-4005-8487-69e7ddfbf1c5n%40apereo.org?utm_medium=email&utm_source=footer> >>> . >>> >> >> >> -- >> Jérôme Rautureau >> > > > -- > Jérôme Rautureau > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to a topic in the > Google Groups "CAS Community" group. > To unsubscribe from this topic, visit > https://groups.google.com/a/apereo.org/d/topic/cas-user/tCJWNyyUWlM/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BM02YvOz45sUvZRbXeEoZNnHG9u7-8bjSTaHa4yJNSU9Q1yvQ%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BM02YvOz45sUvZRbXeEoZNnHG9u7-8bjSTaHa4yJNSU9Q1yvQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG7CZ5Yj1ezJ4i-nnWpQuiqXQ7kNXo4uCiQhsqws0ebMMkAhwQ%40mail.gmail.com.
