I've found the issue, it was coming from the service file not loaded by
cas. I've added the following line to my cas.properties :
*cas.service-registry.json.location=file:/C:/Program Files/Tomcat
9.0/etc/cas/config*
But now I'm having a new error :
2023-07-11 14:20:47,712 ERROR
[org.springframework.boot.web.servlet.support.ErrorPageFilter] -
<Forwarding to error page from request [/oidc/authorize] due to exception
[Unable to locate authentication profile]>
And from what I've found on Google, some had this error but I didn't see
any solution for it.
This my last try, after that I'll turn off everything and go for a better
documented product unfortunatly
Le mardi 11 juillet 2023 à 15:44:08 UTC+2, Jérémie a écrit :
> Indeed redirect_uri wasn't consistent between conf, but after updating it
> nothing has changed.
>
> This is my service file now :
> {
> "@class": "org.apereo.cas.services.OidcRegisteredService",
> "serviceId": "http://localhost:3000";,
>
> "name": "OIDC",
> "id": 1,
> "clientId": "41ff9715-bd3e-473c-9888-e2d5a1364c2a",
> "clientSecret": "da31dc03-443c-4391-963b-86be2d9a4d45",
>
> "bypassApprovalPrompt": true,
> "generateRefreshToken": true,
> "evaluationOrder": 10000
> }
>
> And the URL called
> :
> https://{URL}/cas/oidc/authorize?client_id=41ff9715-bd3e-473c-9888-e2d5a1364c2a&scope=openid
>
> profile email
> read:all&response_type=code&response_mode=query&state=T0xJV2hyOXFQdVY5anNsX1VsUURrMEVIRlREQ3JGRF9vYzFvZVBXRUpFNw==&nonce=eUFOTnU4NFVBQ0lDQjRteGcxV3E5V1I0N05OT0dzT29ubEwxQ3I4SE1uWg==&redirect_uri=http://localhost:3000&code_challenge=TxDYuTGk_M6AUKwC79VwUCZGE8WejkIwYAtcTkisvRk&code_challenge_method=S256&auth0Client=eyJuYW1lIjoiYXV0aDAtc3BhLWpzIiwidmVyc2lvbiI6IjEuMTkuNCJ9
>
> I'm not seeing something that could cause the data causing the mismatch.
>
> And the error doesn't give much detail on the specific issue (maybe my
> loggers aren't good ?)
>
> Le lundi 10 juillet 2023 à 19:51:00 UTC+2, Ray Bon a écrit :
>
>> Jérémie,
>>
>> The redirect_uri in the URL sent to cas must match the serviceId in your
>> service file. serviceId can be a regex. The client_id matches clientId
>> (this is more obvious).
>> There may be other parameters that are sent to cas by your application
>> that are not identified in the service file. These other parameters may or
>> may not be a factor (I am still learning OIDC).
>>
>> In short, 'Unauthorized Service Access ...', means that there is a
>> mismatch between the service requested in the browser and the service file.
>>
>> Ray
>>
>>
>> On Sun, 2023-07-09 at 23:35 -0700, Jérémie wrote:
>>
>> Notice: This message was sent from outside the University of Victoria
>> email system. Please be cautious with links and sensitive information.
>>
>> Hi,
>>
>> I'm simply getting :
>>
>>
>> *2023-07-10 06:31:50,609 INFO [org.apereo.cas.web.CasWebApplicationReady]
>> - <Ready to process requests @ [2023-07-10T06:31:50.562Z]> 2023-07-10
>> 06:32:21,021 INFO
>> [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - <[0]
>> expired tickets removed.> 2023-07-10 06:33:48,750 WARN
>> [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] -
>> <Unauthorized Service Access. Service
>> [41ff9715-bd3e-473c-9888-e2d5a1364c2a] is not registered in service
>> registry.>*
>>
>> And no I'm not connected, I'm reaching directly this page and I'm always
>> doing these tests in a private browser session.
>>
>> Le mardi 4 juillet 2023 à 20:36:08 UTC+2, Ray Bon a écrit :
>>
>> Jérémie,
>>
>> What do the cas logs say about the authentication event (may need debug
>> level)?
>>
>> The authorize URL comes after the authentication step. Are you logged in,
>> in that browser?
>>
>> Ray
>>
>> On Tue, 2023-06-27 at 06:30 -0700, Jérémie wrote:
>>
>> Notice: This message was sent from outside the University of Victoria
>> email system. Please be cautious with links and sensitive information.
>>
>>
>> Hi,
>>
>> I'm pretty new to cas (6.6.8) and I'm trying to connect an test
>> application to my CAS server using OIDC. I'm used to Okta, Auth0, etc so
>> OIDC is not new to me, just CAS configuration.
>>
>> My Cas is also connected to an AD to sign in.
>>
>> This is my Cas server configuration using OIDC module
>> (org.apereo.cas:cas-server-support-oidc) :
>>
>> # Server
>> server.port=443
>>
>> # SSL
>> server.ssl.enabled=true
>> server.ssl.key-store=file:{path}
>> server.ssl.key-store-password=xxx
>> server.ssl.key-password=xxx
>>
>> # CAS
>> cas.server.name=https://URL:443
>> cas.server.prefix=${cas.server.name}/cas
>> cas.logout.followServiceRedirects=true
>> cas.authn.accept.enabled=false
>>
>> # Active Directory
>> cas.authn.ldap[0].type=AUTHENTICATED
>> cas.authn.ldap[0].ldapUrl=ldap://localhost:389
>> cas.authn.ldap[0].useStartTls=false
>> cas.authn.ldap[0].baseDn=DC=AAA,DC=BBB
>> cas.authn.ldap[0].search-filter=(sAMAccountName={user})
>> cas.authn.ldap[0].subtreeSearch=true
>> cas.authn.ldap[0].bindDn=USER
>> cas.authn.ldap[0].bindCredential=XXX
>>
>> # OIDC settings
>> cas.authn.oidc.core.issuer=https://URL/cas/oidc
>> cas.authn.oidc.core.skew=5
>> cas.authn.oidc.jwks.file-system.jwks-file=file:C:\Program Files\Tomcat
>> 9.0\etc\cas\config\keystore.jwks
>>
>> # Encryption/Signing keys
>> cas.tgc.crypto.encryption.key=SN7Vpa8oHvXfh2hDZp8ANxZGRkF1DvKbYLTy_Vip2dI
>>
>> cas.tgc.crypto.signing.key=KwbtZl2y5sidXFMShjVm4PiGwjVQ0Fq-ZBp0A_HUK6IOnoS2h0E5cSfp7vy8uioqX04yKIBXcU0kUm6DRuPCZQ
>>
>> cas.webflow.crypto.signing.key=MltIqyj_vGFgZKFfw8vmoqYIYYu_KEU20AyZaAIDZl_Xjhl0ZGpPNe4h4N7-8p1_pNi-s97TQKb1-INp9VEwEA
>> cas.webflow.crypto.encryption.key=3Mh_pdDFLPCMgacDL6z8SQ
>>
>> ---
>>
>> This is my /etc/config/services file :
>> {
>> "@class": "org.apereo.cas.services.OidcRegisteredService",
>> "serviceId": "https://localhost:3000/callback";, --> my app URL
>> "name": "OIDC",
>> "id": 1,
>> "clientId": "41ff9715-bd3e-473c-9888-e2d5a1364c2a",
>> "clientSecret": "SECRET",
>> "bypassApprovalPrompt": true,
>> "generateRefreshToken": true,
>> "evaluationOrder": 10000
>> }
>>
>> ---
>>
>> This is my test application config (Node.js app) :
>> {
>> "domain": "cas.lyvoc.com/cas/oidc",
>> "clientId": "41ff9715-bd3e-473c-9888-e2d5a1364c2a",
>> }
>>
>> This application was used for other IdP so it won't come from this. When
>> hitting login on it, this is the /authorize URL I'm getting redirected to :
>> *https://URL/cas/oidc/authorize?client_id=41ff9715-bd3e-473c-9888-e2d5a1364c2a&acr=http%3A%2F%2Fschemas.openid.net%2Fpape%2Fpolicies%2F2007%2F06%2Fmulti-factor&scope=openid%20profile%20email%20read%3Aall&response_type=code&response_mode=query&state=dGEwS21Ddm52WUNXc254c2ptRmNzQjBOZGNTSGlPZzZ1R1AxVldOTl9lMA%3D%3D&nonce=RUIzY1hEbWJmWDZJYjNWOWh3QVJZcjBBdVNDOGt0RVdjYVl6WEZ1R0tXYQ%3D%3D&redirect_uri=http%3A%2F%2Flocalhost%3A3000&code_challenge=2Mln96FLN8s0qylEMY9yuC7ucbKioF9cGMIYG5B4q8s&code_challenge_method=S256&auth0Client=eyJuYW1lIjoiYXV0aDAtc3BhLWpzIiwidmVyc2lvbiI6IjEuMTkuNCJ9
>>
>> <https://URL/cas/oidc/authorize?client_id=41ff9715-bd3e-473c-9888-e2d5a1364c2a&acr=http%3A%2F%2Fschemas.openid.net%2Fpape%2Fpolicies%2F2007%2F06%2Fmulti-factor&scope=openid%20profile%20email%20read%3Aall&response_type=code&response_mode=query&state=dGEwS21Ddm52WUNXc254c2ptRmNzQjBOZGNTSGlPZzZ1R1AxVldOTl9lMA%3D%3D&nonce=RUIzY1hEbWJmWDZJYjNWOWh3QVJZcjBBdVNDOGt0RVdjYVl6WEZ1R0tXYQ%3D%3D&redirect_uri=http%3A%2F%2Flocalhost%3A3000&code_challenge=2Mln96FLN8s0qylEMY9yuC7ucbKioF9cGMIYG5B4q8s&code_challenge_method=S256&auth0Client=eyJuYW1lIjoiYXV0aDAtc3BhLWpzIiwidmVyc2lvbiI6IjEuMTkuNCJ9>*
>>
>> The issue is that I'm getting redirected to a CAS page, but saying
>> "Authorization
>> Denied". I'm not getting redirected to the authentication page or anything
>> like that :
>> [image: firefox_u32LfLkefz.png]
>>
>> I'm not finding anything on the net for this.
>>
>> Thanks for any help !
>>
>>
>>
>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2548404d-4bf5-44bc-ad7d-f9974ec0b2a0n%40apereo.org.
