Indeed redirect_uri wasn't consistent between conf, but after updating it
nothing has changed.
This is my service file now :
{
"@class": "org.apereo.cas.services.OidcRegisteredService",
"serviceId": "http://localhost:3000";,
"name": "OIDC",
"id": 1,
"clientId": "41ff9715-bd3e-473c-9888-e2d5a1364c2a",
"clientSecret": "da31dc03-443c-4391-963b-86be2d9a4d45",
"bypassApprovalPrompt": true,
"generateRefreshToken": true,
"evaluationOrder": 10000
}
And the URL called
:
https://{URL}/cas/oidc/authorize?client_id=41ff9715-bd3e-473c-9888-e2d5a1364c2a&scope=openid
profile email
read:all&response_type=code&response_mode=query&state=T0xJV2hyOXFQdVY5anNsX1VsUURrMEVIRlREQ3JGRF9vYzFvZVBXRUpFNw==&nonce=eUFOTnU4NFVBQ0lDQjRteGcxV3E5V1I0N05OT0dzT29ubEwxQ3I4SE1uWg==&redirect_uri=http://localhost:3000&code_challenge=TxDYuTGk_M6AUKwC79VwUCZGE8WejkIwYAtcTkisvRk&code_challenge_method=S256&auth0Client=eyJuYW1lIjoiYXV0aDAtc3BhLWpzIiwidmVyc2lvbiI6IjEuMTkuNCJ9
I'm not seeing something that could cause the data causing the mismatch.
And the error doesn't give much detail on the specific issue (maybe my
loggers aren't good ?)
Le lundi 10 juillet 2023 à 19:51:00 UTC+2, Ray Bon a écrit :
> Jérémie,
>
> The redirect_uri in the URL sent to cas must match the serviceId in your
> service file. serviceId can be a regex. The client_id matches clientId
> (this is more obvious).
> There may be other parameters that are sent to cas by your application
> that are not identified in the service file. These other parameters may or
> may not be a factor (I am still learning OIDC).
>
> In short, 'Unauthorized Service Access ...', means that there is a
> mismatch between the service requested in the browser and the service file.
>
> Ray
>
>
> On Sun, 2023-07-09 at 23:35 -0700, Jérémie wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
> Hi,
>
> I'm simply getting :
>
>
> *2023-07-10 06:31:50,609 INFO [org.apereo.cas.web.CasWebApplicationReady]
> - <Ready to process requests @ [2023-07-10T06:31:50.562Z]> 2023-07-10
> 06:32:21,021 INFO
> [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - <[0]
> expired tickets removed.> 2023-07-10 06:33:48,750 WARN
> [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] -
> <Unauthorized Service Access. Service
> [41ff9715-bd3e-473c-9888-e2d5a1364c2a] is not registered in service
> registry.>*
>
> And no I'm not connected, I'm reaching directly this page and I'm always
> doing these tests in a private browser session.
>
> Le mardi 4 juillet 2023 à 20:36:08 UTC+2, Ray Bon a écrit :
>
> Jérémie,
>
> What do the cas logs say about the authentication event (may need debug
> level)?
>
> The authorize URL comes after the authentication step. Are you logged in,
> in that browser?
>
> Ray
>
> On Tue, 2023-06-27 at 06:30 -0700, Jérémie wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
>
> Hi,
>
> I'm pretty new to cas (6.6.8) and I'm trying to connect an test
> application to my CAS server using OIDC. I'm used to Okta, Auth0, etc so
> OIDC is not new to me, just CAS configuration.
>
> My Cas is also connected to an AD to sign in.
>
> This is my Cas server configuration using OIDC module
> (org.apereo.cas:cas-server-support-oidc) :
>
> # Server
> server.port=443
>
> # SSL
> server.ssl.enabled=true
> server.ssl.key-store=file:{path}
> server.ssl.key-store-password=xxx
> server.ssl.key-password=xxx
>
> # CAS
> cas.server.name=https://URL:443
> cas.server.prefix=${cas.server.name}/cas
> cas.logout.followServiceRedirects=true
> cas.authn.accept.enabled=false
>
> # Active Directory
> cas.authn.ldap[0].type=AUTHENTICATED
> cas.authn.ldap[0].ldapUrl=ldap://localhost:389
> cas.authn.ldap[0].useStartTls=false
> cas.authn.ldap[0].baseDn=DC=AAA,DC=BBB
> cas.authn.ldap[0].search-filter=(sAMAccountName={user})
> cas.authn.ldap[0].subtreeSearch=true
> cas.authn.ldap[0].bindDn=USER
> cas.authn.ldap[0].bindCredential=XXX
>
> # OIDC settings
> cas.authn.oidc.core.issuer=https://URL/cas/oidc
> cas.authn.oidc.core.skew=5
> cas.authn.oidc.jwks.file-system.jwks-file=file:C:\Program Files\Tomcat
> 9.0\etc\cas\config\keystore.jwks
>
> # Encryption/Signing keys
> cas.tgc.crypto.encryption.key=SN7Vpa8oHvXfh2hDZp8ANxZGRkF1DvKbYLTy_Vip2dI
>
> cas.tgc.crypto.signing.key=KwbtZl2y5sidXFMShjVm4PiGwjVQ0Fq-ZBp0A_HUK6IOnoS2h0E5cSfp7vy8uioqX04yKIBXcU0kUm6DRuPCZQ
>
> cas.webflow.crypto.signing.key=MltIqyj_vGFgZKFfw8vmoqYIYYu_KEU20AyZaAIDZl_Xjhl0ZGpPNe4h4N7-8p1_pNi-s97TQKb1-INp9VEwEA
> cas.webflow.crypto.encryption.key=3Mh_pdDFLPCMgacDL6z8SQ
>
> ---
>
> This is my /etc/config/services file :
> {
> "@class": "org.apereo.cas.services.OidcRegisteredService",
> "serviceId": "https://localhost:3000/callback";, --> my app URL
> "name": "OIDC",
> "id": 1,
> "clientId": "41ff9715-bd3e-473c-9888-e2d5a1364c2a",
> "clientSecret": "SECRET",
> "bypassApprovalPrompt": true,
> "generateRefreshToken": true,
> "evaluationOrder": 10000
> }
>
> ---
>
> This is my test application config (Node.js app) :
> {
> "domain": "cas.lyvoc.com/cas/oidc",
> "clientId": "41ff9715-bd3e-473c-9888-e2d5a1364c2a",
> }
>
> This application was used for other IdP so it won't come from this. When
> hitting login on it, this is the /authorize URL I'm getting redirected to :
> *https://URL/cas/oidc/authorize?client_id=41ff9715-bd3e-473c-9888-e2d5a1364c2a&acr=http%3A%2F%2Fschemas.openid.net%2Fpape%2Fpolicies%2F2007%2F06%2Fmulti-factor&scope=openid%20profile%20email%20read%3Aall&response_type=code&response_mode=query&state=dGEwS21Ddm52WUNXc254c2ptRmNzQjBOZGNTSGlPZzZ1R1AxVldOTl9lMA%3D%3D&nonce=RUIzY1hEbWJmWDZJYjNWOWh3QVJZcjBBdVNDOGt0RVdjYVl6WEZ1R0tXYQ%3D%3D&redirect_uri=http%3A%2F%2Flocalhost%3A3000&code_challenge=2Mln96FLN8s0qylEMY9yuC7ucbKioF9cGMIYG5B4q8s&code_challenge_method=S256&auth0Client=eyJuYW1lIjoiYXV0aDAtc3BhLWpzIiwidmVyc2lvbiI6IjEuMTkuNCJ9
>
> <https://URL/cas/oidc/authorize?client_id=41ff9715-bd3e-473c-9888-e2d5a1364c2a&acr=http%3A%2F%2Fschemas.openid.net%2Fpape%2Fpolicies%2F2007%2F06%2Fmulti-factor&scope=openid%20profile%20email%20read%3Aall&response_type=code&response_mode=query&state=dGEwS21Ddm52WUNXc254c2ptRmNzQjBOZGNTSGlPZzZ1R1AxVldOTl9lMA%3D%3D&nonce=RUIzY1hEbWJmWDZJYjNWOWh3QVJZcjBBdVNDOGt0RVdjYVl6WEZ1R0tXYQ%3D%3D&redirect_uri=http%3A%2F%2Flocalhost%3A3000&code_challenge=2Mln96FLN8s0qylEMY9yuC7ucbKioF9cGMIYG5B4q8s&code_challenge_method=S256&auth0Client=eyJuYW1lIjoiYXV0aDAtc3BhLWpzIiwidmVyc2lvbiI6IjEuMTkuNCJ9>*
>
> The issue is that I'm getting redirected to a CAS page, but saying
> "Authorization
> Denied". I'm not getting redirected to the authentication page or anything
> like that :
> [image: firefox_u32LfLkefz.png]
>
> I'm not finding anything on the net for this.
>
> Thanks for any help !
>
>
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d65a6bf4-371c-4a82-98e0-87dfa2534e24n%40apereo.org.
