Hello, We are running CAS 5.3.x on Tomcat9. One of our clients uses OIDC. Intermittently, after login, instead of getting into the app's landing page, they got redirected to the root context, which is the Tomcat page.
What I noticed is at the end: 2021-01-20 23:31:49,158 DEBUG [org.pac4j.core.engine.DefaultCallbackLogic] - <redirectUrl: /> if redirectUrl says /, they got redirected to Tomcat page, which is incorrect. I turned off browser prefetch, that made no difference. Since this is intermittent, I compared with the good login. With successful login, what happens after OAuth20CasCallbackUrlResolver is: ProfileHelper, but with the ones being redirected to Tomcat, what happens after OAuth20CasCallbackUrlResolver is OAuth20AuthenticationServiceSelectionStrategy. Unfortunately, I do not know why the difference. Suggestions? The following are the logs of good login vs. incorrect login flow. I masked username as "username", as well as hostnames. Thanks! Yan == Good Login flow, seeing App landing page after login === 2021-01-20 23:25:35,682 DEBUG [org.pac4j.core.engine.DefaultCallbackLogic] - <=== CALLBACK ===> 2021-01-20 23:25:35,683 DEBUG [org.pac4j.core.client.finder.DefaultCallbackClientFinder] - <result: [CasOAuthClient]> 2021-01-20 23:25:35,683 DEBUG [org.pac4j.core.engine.DefaultCallbackLogic] - <foundClient: #CasClient# | name: CasOAuthClient | callbackUrl: https://hostname.com/cas5/oauth2.0/callbackAuthorize | callbackUrlResolver: org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@48371f3c | ajaxRequestResolver: org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@7426f632 | redirectActionBuilder: org.apereo.cas.config.CasOAuthConfiguration$$Lambda$216/1668099728@40ee12f1 | credentialsExtractor: org.pac4j.cas.credentials.extractor.TicketAndLogoutRequestExtractor@3fcefb48 | authenticator: org.pac4j.cas.credentials.authenticator.CasAuthenticator@27009c04 | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@1cf616c6 | logoutActionBuilder: #CasLogoutActionBuilder# | serverLogoutUrl: nulllogout | postLogoutUrlParameter: service | | authorizationGenerators: [org.pac4j.cas.authorization.DefaultCasAuthorizationGenerator@57bea927] | configuration: #CasConfiguration# | loginUrl: https://hostname.com/cas5/login | prefixUrl: https://hostname.com/cas5/ | restUrl: https://hostname.com/cas5/v1/tickets | protocol: CAS30 | renew: false | gateway: false | encoding: UTF-8 | logoutHandler: null | acceptAnyProxy: false | allowedProxyChains: [] | proxyReceptor: null | timeTolerance: 1000 | postLogoutUrlParameter: service | defaultTicketValidator: null | urlResolver: org.apereo.cas.support.oauth.web.OAuth20CasCallbackUrlResolver@25ffc2ca | | urlResolver: org.apereo.cas.support.oauth.web.OAuth20CasCallbackUrlResolver@25ffc2ca |> 2021-01-20 23:25:35,692 DEBUG [org.pac4j.core.logout.handler.DefaultLogoutHandler] - <key: ST-2-PDvqP3czi14Mh4kh4HSTQNGJrlMqacas703 -> trackableSession: org.apache.catalina.session.StandardSessionFacade@146a5284> 2021-01-20 23:25:35,693 DEBUG [org.pac4j.core.logout.handler.DefaultLogoutHandler] - <sessionId: 8981369CB4EA183232D7348129A8754F> 2021-01-20 23:25:35,767 DEBUG [org.apereo.cas.support.oauth.web.OAuth20CasCallbackUrlResolver] - <Final resolved callback URL is [https://hostname.com/cas5/oauth2.0/callbackAuthorize?client_id=qaw-oauth2client&redirect_uri=https%3A%2F%2Fclientapp.com%2FQawSSO%2Flogin&response_type=code]> 2021-01-20 23:25:35,868 INFO [org.pac4j.core.profile.ProfileHelper] - <Building user profile based on typedId: username> 2021-01-20 23:25:35,871 DEBUG [org.pac4j.core.engine.DefaultCallbackLogic] - <credentials: #TokenCredentials# | token: ST-2-PDvqP3czi14Mh4kh4HSTQNGJrlMqacas703 |> 2021-01-20 23:25:35,871 DEBUG [org.pac4j.core.engine.DefaultCallbackLogic] - <profile: #CasProfile# | id: username | attributes: {credentialType=UsernamePasswordCredential, email_verified=true, isFromNewLogin=true, authenticationDate=2021-01-20T23:25:35.563Z[UTC], authenticationMethod=casAuthHandler, successfulAuthenticationHandlers=casAuthHandler, longTermAuthenticationRequestTokenUsed=false} | roles: [] | permissions: [] | isRemembered: false | clientName: CasOAuthClient | linkedId: null |> 2021-01-20 23:25:35,871 DEBUG [org.pac4j.core.engine.DefaultCallbackLogic] - <redirectUrl: https://hostname.com/cas5/oidc/authorize?client_id=qaw-oauth2client&redirect_uri=https://clientapp.com/QawSSO/login&response_type=code&scope=openid%20profile%20email&state=eG9lVx> == Bad Login flow, seeing Tomcat page after login === 2021-01-20 23:31:49,079 DEBUG [org.pac4j.core.engine.DefaultCallbackLogic] - <=== CALLBACK ===> 2021-01-20 23:31:49,080 DEBUG [org.pac4j.core.client.finder.DefaultCallbackClientFinder] - <result: [CasOAuthClient]> 2021-01-20 23:31:49,080 DEBUG [org.pac4j.core.engine.DefaultCallbackLogic] - <foundClient: #CasClient# | name: CasOAuthClient | callbackUrl: https://hostname.com/cas5/oauth2.0/callbackAuthorize | callbackUrlResolver: org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@48371f3c | ajaxRequestResolver: org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@7426f632 | redirectActionBuilder: org.apereo.cas.config.CasOAuthConfiguration$$Lambda$216/1668099728@40ee12f1 | credentialsExtractor: org.pac4j.cas.credentials.extractor.TicketAndLogoutRequestExtractor@3fcefb48 | authenticator: org.pac4j.cas.credentials.authenticator.CasAuthenticator@27009c04 | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@1cf616c6 | logoutActionBuilder: #CasLogoutActionBuilder# | serverLogoutUrl: nulllogout | postLogoutUrlParameter: service | | authorizationGenerators: [org.pac4j.cas.authorization.DefaultCasAuthorizationGenerator@57bea927] | configuration: #CasConfiguration# | loginUrl: https://hostname.com/cas5/login | prefixUrl: https://hostname.com/cas5/ | restUrl: https://hostname.com/cas5/v1/tickets | protocol: CAS30 | renew: false | gateway: false | encoding: UTF-8 | logoutHandler: #DefaultLogoutHandler# | store: #GuavaStore# | size: 10000 | timeout: 30 | timeUnit: MINUTES | | destroySession: false | | acceptAnyProxy: false | allowedProxyChains: [] | proxyReceptor: null | timeTolerance: 1000 | postLogoutUrlParameter: service | defaultTicketValidator: null | urlResolver: org.apereo.cas.support.oauth.web.OAuth20CasCallbackUrlResolver@25ffc2ca | | urlResolver: org.apereo.cas.support.oauth.web.OAuth20CasCallbackUrlResolver@25ffc2ca |> 2021-01-20 23:31:49,080 DEBUG [org.pac4j.core.logout.handler.DefaultLogoutHandler] - <key: ST-6-YfPqrWVA3lGiMKMUF44VLejEvykqacas703 -> trackableSession: org.apache.catalina.session.StandardSessionFacade@fe5b255> 2021-01-20 23:31:49,080 DEBUG [org.pac4j.core.logout.handler.DefaultLogoutHandler] - <sessionId: 9847688F966C326B1F6E20C4BDB3D5B1> 2021-01-20 23:31:49,080 DEBUG [org.apereo.cas.support.oauth.web.OAuth20CasCallbackUrlResolver] - <Final resolved callback URL is [https://hostname.com/cas5/oauth2.0/callbackAuthorize?client_id=qaw-oauth2client&redirect_uri=https%3A%2F%2Fclientapp.com%2FQawSSO%2Flogin&response_type=code]> 2021-01-20 23:31:49,094 DEBUG [org.apereo.cas.support.oauth.services.OAuth20AuthenticationServiceSelectionStrategy] - <Authentication request is identified as an OAuth request> 2021-01-20 23:31:49,095 DEBUG [org.apereo.cas.support.oauth.services.OAuth20AuthenticationServiceSelectionStrategy] - <Authentication request is identified as an OAuth request> 2021-01-20 23:31:49,095 DEBUG [org.apereo.cas.support.oauth.services.OAuth20AuthenticationServiceSelectionStrategy] - <Authentication request is identified as an OAuth request> 2021-01-20 23:31:49,096 DEBUG [org.apereo.cas.support.oauth.services.OAuth20AuthenticationServiceSelectionStrategy] - <Authentication request is identified as an OAuth request> 2021-01-20 23:31:49,096 DEBUG [org.apereo.cas.support.oauth.services.OAuth20AuthenticationServiceSelectionStrategy] - <Authentication request is identified as an OAuth request> 2021-01-20 23:31:49,096 DEBUG [org.apereo.cas.support.oauth.services.OAuth20AuthenticationServiceSelectionStrategy] - <Authentication request is identified as an OAuth request> 2021-01-20 23:31:49,098 DEBUG [org.apereo.cas.ticket.registry.HazelcastTicketRegistry] - <Locating map name [cas5phys-serviceTicketsCache] for ticket definition [DefaultTicketDefinition(implementationClass=class org.apereo.cas.ticket.ServiceTicketImpl, prefix=ST, properties=DefaultTicketDefinitionProperties(cascade=false, storageName=cas5phys-serviceTicketsCache, storageTimeout=10, storagePassword=null), order=-2147483648)]> 2021-01-20 23:31:49,099 DEBUG [org.apereo.cas.ticket.registry.HazelcastTicketRegistry] - <Located Hazelcast map instance [cas5phys-serviceTicketsCache]> 2021-01-20 23:31:49,101 DEBUG [org.apereo.cas.support.oauth.services.OAuth20AuthenticationServiceSelectionStrategy] - <Authentication request is not identified as an OAuth request> 2021-01-20 23:31:49,102 DEBUG [org.apereo.cas.support.oauth.services.OAuth20AuthenticationServiceSelectionStrategy] - <Authentication request is identified as an OAuth request> 2021-01-20 23:31:49,103 INFO [org.apereo.cas.authentication.principal.Service] - <Quest-CAS: Decoded urls and comparing [https://clientapp.com/QawSSO/login] with [https://clientapp.com/QawSSO/login]> 2021-01-20 23:31:49,104 DEBUG [org.apereo.cas.ticket.registry.HazelcastTicketRegistry] - <Locating map name [cas5phys-serviceTicketsCache] for ticket definition [DefaultTicketDefinition(implementationClass=class org.apereo.cas.ticket.ServiceTicketImpl, prefix=ST, properties=DefaultTicketDefinitionProperties(cascade=false, storageName=cas5phys-serviceTicketsCache, storageTimeout=10, storagePassword=null), order=-2147483648)]> 2021-01-20 23:31:49,104 DEBUG [org.apereo.cas.ticket.registry.HazelcastTicketRegistry] - <Located Hazelcast map instance [cas5phys-serviceTicketsCache]> 2021-01-20 23:31:49,106 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Removing ticket [ST-6-YfPqrWVA3lGiMKMUF44VLejEvykqacas703] from the registry.> 2021-01-20 23:31:49,107 DEBUG [org.apereo.cas.ticket.registry.HazelcastTicketRegistry] - <Locating map name [cas5phys-serviceTicketsCache] for ticket definition [DefaultTicketDefinition(implementationClass=class org.apereo.cas.ticket.ServiceTicketImpl, prefix=ST, properties=DefaultTicketDefinitionProperties(cascade=false, storageName=cas5phys-serviceTicketsCache, storageTimeout=10, storagePassword=null), order=-2147483648)]> 2021-01-20 23:31:49,107 DEBUG [org.apereo.cas.ticket.registry.HazelcastTicketRegistry] - <Located Hazelcast map instance [cas5phys-serviceTicketsCache]> 2021-01-20 23:31:49,111 DEBUG [org.apereo.cas.support.oauth.services.OAuth20AuthenticationServiceSelectionStrategy] - <Authentication request is identified as an OAuth request> 2021-01-20 23:31:49,158 INFO [org.pac4j.core.profile.ProfileHelper] - <Building user profile based on typedId: username> 2021-01-20 23:31:49,158 DEBUG [org.pac4j.core.engine.DefaultCallbackLogic] - <credentials: #TokenCredentials# | token: ST-6-YfPqrWVA3lGiMKMUF44VLejEvykqacas703 |> 2021-01-20 23:31:49,158 DEBUG [org.pac4j.core.engine.DefaultCallbackLogic] - <profile: #CasProfile# | id: username | attributes: {credentialType=UsernamePasswordCredential, email_verified=true, isFromNewLogin=true, authenticationDate=2021-01-20T23:31:48.973Z[UTC], authenticationMethod=casAuthHandler, successfulAuthenticationHandlers=casAuthHandler, longTermAuthenticationRequestTokenUsed=false, email=yz...@medplus.com} | roles: [] | permissions: [] | isRemembered: false | clientName: CasOAuthClient | linkedId: null |> 2021-01-20 23:31:49,158 DEBUG [org.pac4j.core.engine.DefaultCallbackLogic] - <redirectUrl: /> == END == -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7c91efb6-80f9-4cd9-9cd0-26e25ff73c06n%40apereo.org.