Edit: ? --> :
prefixes? (*TGT, ST, RT, AT, PT, TST, OC, SART, ODUC, PGT, SATQ, ODT*). -->
prefixes: (*TGT, ST, RT, AT, PT, TST, OC, SART, ODUC, PGT, SATQ, ODT*).
On Thursday, November 16, 2023 at 11:00:30 PM UTC+3:30 Meysam Shirazi wrote:
> As you stated, the logout redirect is working:
> *2023-11-15T09:49:04,668Z [http-nio-8080-exec-1] DEBUG
> o.a.c.o.w.c.l.OidcLogoutEndpointController:145 eup.sso.cas {"message":
> "Final logout redirect URL is
> [https://cas.server/profile?client_id=test_jan
> <https://cas.server/profile?client_id=test_jan>]"}*
> Regarding the issue with revoking the access token, it appears that the
> token is incorrect. Is there an access token
> (AT-5-QAnGNlAgqS-HC5e0KuklngTKvA-ugvk5) that was erased following a request
> for a logout, but the client sent the incorrect token that begins with (
> *access_tokensnkL58fGsQSM1f...*) and is therefore not listed in the
> ticket catalog because it does not begin with any of these ticket prefixes?
> (*TGT, ST, RT, AT, PT, TST, OC, SART, ODUC, PGT, SATQ, ODT*).
> /logout endpoint, not /oidc/logout or /oidcLogout, is the default logout
> url. It is the typical logout in CAS protocol
> <https://apereo.github.io/cas/6.6.x/protocol/CAS-Protocol-Specification.html#23-logout>
>
> endpoint with a service parameter.
>
> On Wednesday, November 15, 2023 at 4:44:19 PM UTC+3:30 Udo Einspanier
> wrote:
>
>> Thanks again. Agreed, that actually that looks like the redirect URI and
>> logout URI must match.
>> I found that the error in the logs appears not in the request to
>> /oidcLogout, but to /revoke. Our client revokes the access token it
>> received during login before sending the logout request, and that is where
>> the error happens. So probably it is not related to the redirect problem
>> (but still if you know why it happens would be good to know).
>> I attached the debug log output for the revoke and succeeding logout
>> request (replaced id_toke, access_token and host with dummy values). During
>> logout I see at least this line which sounds like the
>> post_logout_redirect_uri is fine:
>>
>> 2023-11-15T09:49:04,667Z [http-nio-8080-exec-1] DEBUG
>> o.a.c.o.w.c.l.OidcLogoutEndpointController:107 eup.sso.cas {"message":
>> "Requested logout URL [https://cas.server/profile] is authorized for
>> redirects"}
>>
>> Not sure what you mean with "if you send the request to default /logout
>> url". Shouldn't the OIDC logout request always be sent to the
>> end_session_endpoint
>> advertised in .well-known metadata?
>>
>>
>> On Tuesday, November 14, 2023 at 8:06:28 PM UTC+1 Meysam Shirazi wrote:
>>
>>> About the logoutUrl I said that based on this parts of code:
>>> [image: Untitled 2.png]
>>> The ticket catalog error needs more details, so set cas.log.level to
>>> debug or trace for more details.
>>>
>>> The configuration is *cas.logout.follow-service-redirects*, and the
>>> default value is false, but I think it's working if you send the request to
>>> default /logout url.
>>> On Tuesday, November 14, 2023 at 5:25:48 PM UTC+3:30 Udo Einspanier
>>> wrote:
>>>
>>>> I also tried to always redirect to the same URL using redirect-url in
>>>> the configuration, but this does not work eithr and shows the some logout
>>>> page as before:
>>>>
>>>> cas:
>>>> logout:
>>>> followServiceRedirects: false
>>>> removeDescendantTickets: true
>>>> redirect-url: "https://...";
>>>>
>>>>
>>>>
>>>> On Friday, November 10, 2023 at 8:56:25 AM UTC+1 Meysam Shirazi wrote:
>>>>
>>>>> Hi Udo
>>>>> Change *cas.log.level* to *debug *or make org.apereo.cas.oidc log
>>>>> level to trace to see what happening.
>>>>> common reason is post_logout_redirect_uri does not match service,
>>>>> means post_logout_redirect_uri is not define as logoutUrl or matching
>>>>> service id in your service definition.
>>>>>
>>>>>
>>>>> On Friday, November 10, 2023 at 10:29:33 AM UTC+3:30 Udo Einspanier
>>>>> wrote:
>>>>>
>>>>>> Hi Meysam,
>>>>>>
>>>>>> thanks for the quick reply. Yes, id_token_hint is part of the URL, I
>>>>>> just left it out for brevity but should have included it. So here is the
>>>>>> URL from CAS OIDC logout page with all parameters:
>>>>>>
>>>>>>
>>>>>> https://.../cas/oidc/oidcLogout?id_token_hint=...&post_logout_redirect_uri=https://...
>>>>>>
>>>>>> But still no redirect from CAS to post_logout_redirect_uri.
>>>>>>
>>>>>> Any other ideas?
>>>>>>
>>>>>> Thanks,
>>>>>> Udo
>>>>>>
>>>>>> On Friday, November 10, 2023 at 3:41:42 AM UTC+1 Meysam Shirazi wrote:
>>>>>>
>>>>>>> It needs idToken in id_token_hint url parameters) that contains
>>>>>>> clientId, it can be the same id token that be retrieved in login
>>>>>>> process.
>>>>>>> On Thursday, November 9, 2023 at 4:20:04 PM UTC+3:30 Udo Einspanier
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> we have CAS 6.6 as OIDC provider. When our client initiates logout,
>>>>>>>> it goes to
>>>>>>>> https://.../cas/oidc/oidcLogout?post_logout_redirect_uri=https:/...
>>>>>>>>
>>>>>>>> In the YAML configuration we have:
>>>>>>>>
>>>>>>>> cas:
>>>>>>>> logout:
>>>>>>>> followServiceRedirects: true
>>>>>>>> removeDescendantTickets: true
>>>>>>>>
>>>>>>>> I would expect CAS to redirect to the URL in parameter
>>>>>>>> post_logout_redirect_uri, but instead
>>>>>>>> shows a logout page titled "Logout successful" where the user can
>>>>>>>> click on the logout URL
>>>>>>>> specified in the logout request.
>>>>>>>> Is there some additional setting required for OIDC, or are we
>>>>>>>> missing something to allow automatic
>>>>>>>> redirect without user interaction?
>>>>>>>>
>>>>>>>> Thanks and best regards,
>>>>>>>> Udo
>>>>>>>>
>>>>>>>>
>>>>>>>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f455731c-b3b7-4b3a-ad49-94395d8f14e0n%40apereo.org.
