Yan, A partial solution is 'cas.view.default-redirect-url' which can be found here, https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties.html#views. Lets you specify where to go when no service param is supplied.
Ray On Fri, 2021-01-29 at 13:21 -0800, Yan Zhou wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hello, We noticed an issue on CAS 5.3 with OIDC. I finally realized what maybe going on, but do not have a solution. App uses CAS for authentication via OIDC, App redirects to CAS login page. When people bookmark the apps, the first opportunity they have is the CAS login page, the URL usually reads like this: https://....../cas/login?service=https://app.com Next time, they use the bookmark and go straight to this URL, as oppose to let App redirect to CAS. This is where the problem comes with OIDC. Here is the flow when user type up the App endpoint in browser and let App redirect: GET /cas/oidc/authorize/...... (this is due to the OIDC client in App side, crucial first step) GET /cas/login?service=.....cas/oauth2.0/callbackAuthorize/.... login page shows up, user bookmarks it, and enter credentials POST /cas/login?service=.....cas/oauth2.0/callbackAuthorize/.... GET /cas5/p3/serviceValidate?ticket= GET /cas5/oauth2.0/callbackAuthorize?client_id= GET /cas5/oidc/authorize?client_id= After user logout, and close browser, Restart browser, they use the saved bookmark. Now the flow is showing CAS login page immediately without going through the first endpoint on /odic/authorize (see above). When user login, they are redirected to root /, as oppose to proceed to /oidc/authorize endpoint, this is due to how pac4j works. it almost like a stack pushing/popping, and we did not anything to pop, so we default to root. The root is usually the wrong page, such as the Tomcat welcome page or the domain root. This is fairly consistently seen on IE. Does that make sense? I think this could be happening with any bookmarked CAS login page with service parameter and will be seen in OIDC client apps. Any idea to work around or fix this? Thanks, Yan -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected]<mailto:[email protected]> I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/400dd09b227370f3a8e1b5fcc3444f7ac4ec5fbb.camel%40uvic.ca.
