I don't get any info log when I try to access the service (which I find weird by the way). Debug return : 2022-05-05 15:05:18,699 DEBUG [org.springframework.security.web.FilterChainProxy] - <Securing GET /oidc/authorize?response_type=code&redirect_uri=https%3A%2F% 2Fxxxx.callback.oauth.domain.com &scope=openid+email+profile+offline_access&state=abcdef&client_id=appoidc> 2022-05-05 15:05:18,699 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] - <Set SecurityContextHolder to empty SecurityContext> 2022-05-05 15:05:18,699 DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] - <Set SecurityContextHolder to anonymous SecurityContext> 2022-05-05 15:05:18,699 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] - <Authorized public object filter invocation [GET /oidc/authorize?response_type=code&redirect_uri=https%3A%2F%2F xxxx.callback.oauth.domain.com &scope=openid+email+profile+offline_access&state=abcdef&client_id=appoidc]> 2022-05-05 15:05:18,699 DEBUG [org.springframework.security.web.FilterChainProxy] - <Secured GET /oidc/authorize?response_type=code&redirect_uri=https%3A%2F%2F xxxx.callback.oauth.domain.com &scope=openid+email+profile+offline_access&state=abcdef&client_id=appoidc> 2022-05-05 15:05:18,721 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - <Did not store anonymous SecurityContext> 2022-05-05 15:05:18,722 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - <Did not store anonymous SecurityContext> 2022-05-05 15:05:18,722 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] - <Cleared SecurityContextHolder to complete request>
even if i don't see any error in the logs, my problem could be the same as yours... I'm going to define the X-Forwarded-Proto in the apache virtualHost. Thank you for your advice. Le jeu. 5 mai 2022 à 14:43, Petr Fišer <[email protected]> a écrit : > Hello, > Do not focus on the service loading, look at the logs from the time you > are actually trying to access the service. That should help you more. > > > Hm... your HTTPd does SSL offloading. That might be the case... I faced > similar problem with my https/443 -> http/8080 proxy. > I am not sure if that applies to AJP proxying too, but i *think* AJP > should transfer scheme information... anyway, I will describe the problem I > was having. Just in case. > > > I was running https/443 (nGinx) -> http/8080 proxy (standalone Tomcat + > CAS .war). Older CAS (6.2.x) was working fine with my OIDC configuration, > newer (6.5.x) was not. I was getting the same error as you do. > My server prefix was https://am.something.tld/cas, so I set the OIDC > Issuer to https://am.something.tld/cas/oidc . All good here. > > In 6.5.x there is some additional matching/checking of the OIDC issuer > against incoming OIDC requests and/or service callbacks in the CAS itself. > I got one line in the log which was something like: > > *the request **https**://am.something.tld/cas/oidc/authorize?=... > does not match oidc issuer **http**://am.something.tld/cas/oidc* > > See the "http" in the matching rule where the "https" should be? The > problem here was in bad uri scheme information getting to the CAS. CAS gets > the info from X-Forwarded-Proto header, and from the Tomcat connector > object (Java representation of the HTTP connector inside the application > container). Basically, CAS thought I was running plain HTTP because the > Tomcat connector obejct *is* plain http for the backend server and I was > not giving it the X-Forwarded-Proto header. > > I had to make sure my proxy is setting correct X-Forwarded-Proto and > Tomcat propagates it to the application via RemoteIpValve. > Once I did this, things started working. > > Cheers, > Fiisch > > On 05/05/2022 02:01 PM, wouldsmina wrote: > > Hello Fiisch, > > Yes debug logging is enabled, but nothing interesting. Service file is > correctly loaded : > [2022-05-05 12:10:03] [info] #033[36m2022-05-05 12:10:03,277 DEBUG > [org.apereo.cas.services.resource.AbstractResourceBasedServiceRegistry] - > <Attempting to read and parse > [/etc/cas/services/appoidc-1624798320.json]>#033[m > [2022-05-05 12:10:03] [info] #033[36m2022-05-05 12:10:03,277 DEBUG > [org.apereo.cas.oidc.services.OidcServiceRegistryListener] - <Mapped > [email] to attribute release policy > [OidcEmailScopeAttributeReleasePolicy]>#033[m > [2022-05-05 12:10:03] [info] #033[36m2022-05-05 12:10:03,277 DEBUG > [org.apereo.cas.oidc.services.OidcServiceRegistryListener] - <Mapped > [profile] to attribute release policy > [OidcProfileScopeAttributeReleasePolicy]>#033[m > [2022-05-05 12:10:03] [info] #033[36m2022-05-05 12:10:03,277 DEBUG > [org.apereo.cas.oidc.services.OidcServiceRegistryListener] - <Given scope > [offline_access], service [1624798320] is marked to generate refresh > tokens>#033[m > > The CAS server is behind a proxy (apache) like my CAS 6.1 : > > <VirtualHost *:443> > ServerAdmin [email protected] > ServerName cas-test.domain.fr > > DocumentRoot /var/www/cas-test > AccessFileName .htaccess > > <Directory /> > Options FollowSymLinks > AllowOverride None > Allow from all > </Directory> > <Directory /var/www/> > Options FollowSymLinks MultiViews > AllowOverride AuthConfig > Order allow,deny > Allow from all > </Directory> > > ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ > <Directory "/usr/lib/cgi-bin"> > AllowOverride None > Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch > Order allow,deny > Allow from all > </Directory> > > LogLevel warn > ErrorLog ${APACHE_LOG_DIR}/cas-test-error.log > CustomLog ${APACHE_LOG_DIR}/cas-test-ssl_access.log combined > > Alias /doc/ "/usr/share/doc/" > <Directory "/usr/share/doc/"> > Options MultiViews FollowSymLinks > AllowOverride None > Order deny,allow > Deny from all > Allow from 127.0.0.0/255.0.0.0 ::1/128 > </Directory> > > SSLEngine on > > <FilesMatch "\.(cgi|shtml|phtml|php)$"> > SSLOptions +StdEnvVars > </FilesMatch> > <Directory /usr/lib/cgi-bin> > SSLOptions +StdEnvVars > </Directory> > > BrowserMatch ".*.*" \ > nokeepalive ssl-unclean-shutdown \ > downgrade-1.0 force-response-1.0 > > ProxyPass /cas ajp://spartana-b2.domain.fr:8010/cas > </VirtualHost> > > Regards. > > > Le jeu. 5 mai 2022 à 11:02, Petr Fišer <[email protected]> a écrit : > >> Hello, >> Do you have DEBUG logging enabled? Is there anything interesting in the >> logs? >> Also, what is your setup? Are you running behind a proxy, perchance? >> >> Cheers, >> Fiisch >> >> On 05/05/2022 09:27 AM, wouldsmina wrote: >> >> I had no properties in cas.properties for oidc. I added >> cas.authn.oidc.core.issuer like in the documentation, but it doesn't change >> anything. >> Cas.log and catalina.log return no warn on a replaced attribute and the >> service file is loaded correctly. >> >> Looks like the regex in serviceId is not working (yet the same works on >> cas 6.1). >> >> Regards. >> >> Le mer. 4 mai 2022 à 19:39, Ray Bon <[email protected]> a écrit : >> >>> I meant search for the property that you are currently using. >>> There should be a note about the name of the new property. >>> >>> Ray >>> >>> On Wed, 2022-05-04 at 17:38 +0200, wouldsmina wrote: >>> >>> Notice: This message was sent from outside the University of Victoria >>> email system. Please be cautious with links and sensitive information. >>> >>> Thank you Ray. the file contains nearly 80,000 lines... it's not going >>> to be easy to find my way around. I will still try to find a solution, >>> but if someone can guide me more, I'm interested. >>> >>> >>> Le mar. 3 mai 2022 à 17:56, Ray Bon <[email protected]> a écrit : >>> >>> Said, >>> >>> Some of the property names may have changed. >>> Run this command to get the list of all properties: >>> >>> ./gradlew exportConfigMetadata >>> >>> then search for the properties you are using. >>> >>> See, >>> https://github.com/apereo/cas-overlay-template/tree/6.5#configuration-metadata >>> >>> Ray >>> >>> On Tue, 2022-05-03 at 05:08 -0700, Said b wrote: >>> >>> Notice: This message was sent from outside the University of Victoria >>> email system. Please be cautious with links and sensitive information. >>> >>> >>> Hello, >>> >>> I am using OpenID connect with CAS 6.1.7. I installed CAS 6.5.3 in >>> test, but I get an error (Application not authorized to use CAS) while the >>> service file is identical. Is there a configuration change between 6.1 >>> and 6.5? I don't see anything in the documentation. >>> Service file : >>> { >>> "id": 1624798320, >>> "name": "AppOIDC", >>> "description": "mobile app", >>> "evaluationOrder":99, >>> "@class": "org.apereo.cas.services.OidcRegisteredService", >>> "supportedGrantTypes": [ >>> "java.util.HashSet", >>> [ >>> "authorization_code", >>> "refresh_token" >>> ] >>> ], >>> "clientId": "mobileapp", >>> "clientSecret": "xxxxxxxxxxxxxxxxxxxxxxxxxx", >>> "serviceId": "^https://service.callback.oauth.domain.com$";, >>> "scopes": [ >>> "java.util.HashSet", >>> [ >>> "profile", >>> "email", >>> "offline_access" >>> ] >>> ] >>> "attributeReleasePolicy" : { >>> "@class" : >>> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", >>> "allowedAttributes" : [ "java.util.ArrayList", ["sn", >>> "givenName" ] ] >>> >>> }, >>> } >>> >>> Regards. >>> >>> -- >>> >>> >>> Ray Bon >>> Programmer Analyst >>> Development Services, University Systems >>> 2507218831 | CLE 019 | [email protected] >>> >>> I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional >>> territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ >>> peoples whose historical relationships with the land continue to this day. >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b2c1e72d4e772cd0546ce898cf76ea5cace25b26.camel%40uvic.ca >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b2c1e72d4e772cd0546ce898cf76ea5cace25b26.camel%40uvic.ca?utm_medium=email&utm_source=footer> >>> . >>> >>> -- >>> >>> Ray Bon >>> Programmer Analyst >>> Development Services, University Systems >>> 2507218831 | CLE 019 | [email protected] >>> >>> I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional >>> territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ >>> peoples whose historical relationships with the land continue to this day. >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/8b624c61e6153b92b3457aa74e45741274a1adfb.camel%40uvic.ca >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/8b624c61e6153b92b3457aa74e45741274a1adfb.camel%40uvic.ca?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNbTpSQeO9ZK6JKC4%2Bp3TZ_6bsbJYCLniYTtA8LsTAGi%2Bg%40mail.gmail.com >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNbTpSQeO9ZK6JKC4%2Bp3TZ_6bsbJYCLniYTtA8LsTAGi%2Bg%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNZkyctP2H5C2ioEFM9L2x0RFPCdctc0JinbXp61Z_Fn1w%40mail.gmail.com.
