Thanks for patience and ongoing support. The redirect is not working as I expect. Expected behavior: the browser is redirected automatically to the URL specified in post_logout_redirect_uri. Actual behavior: CAS shows this page, where the user has to manually click on the logout link that was supplied by the client (GO TO ...). [image: logout.png] Is automatic redirect supported? If yes, do you know the required configuration?
No, the client does not receive an access token of the form "AT-...". We have specified the access tokens to be encoded as JWT, via "jwtAccessToken": true in the service definition. So the client sends the JWT as "token" parameter to /revoke endpoint, which should be according to the protocol specification. But my assumption is that CAS does not handle JWT access tokens correctly during revoke. The *access_tokensnkL58fGsQSM1f* that you mention is because I wanted to replace the JWTs (id/acces_token) in the log with dummy values, because they contain the server URL. Yes, I am aware that /logout is the endpoint to use for the CAS protocol. But our client uses OIDC and not CAS protocol. So, it sends the logout request to "end_session_endpoint" defined in https://cas.server/cas/oidc/.well-known. Why would we require another protocol just for the logout? On Thursday, November 16, 2023 at 10:18:57 PM UTC+1 Meysam Shirazi wrote: > Edit: ? --> : > prefixes? (*TGT, ST, RT, AT, PT, TST, OC, SART, ODUC, PGT, SATQ, ODT*). > --> prefixes: (*TGT, ST, RT, AT, PT, TST, OC, SART, ODUC, PGT, SATQ, ODT* > ). > > On Thursday, November 16, 2023 at 11:00:30 PM UTC+3:30 Meysam Shirazi > wrote: > >> As you stated, the logout redirect is working: >> *2023-11-15T09:49:04,668Z [http-nio-8080-exec-1] DEBUG >> o.a.c.o.w.c.l.OidcLogoutEndpointController:145 eup.sso.cas {"message": >> "Final logout redirect URL is >> [https://cas.server/profile?client_id=test_jan >> <https://cas.server/profile?client_id=test_jan>]"}* >> Regarding the issue with revoking the access token, it appears that the >> token is incorrect. Is there an access token >> (AT-5-QAnGNlAgqS-HC5e0KuklngTKvA-ugvk5) that was erased following a request >> for a logout, but the client sent the incorrect token that begins with ( >> *access_tokensnkL58fGsQSM1f...*) and is therefore not listed in the >> ticket catalog because it does not begin with any of these ticket prefixes? >> (*TGT, ST, RT, AT, PT, TST, OC, SART, ODUC, PGT, SATQ, ODT*). >> /logout endpoint, not /oidc/logout or /oidcLogout, is the default logout >> url. It is the typical logout in CAS protocol >> <https://apereo.github.io/cas/6.6.x/protocol/CAS-Protocol-Specification.html#23-logout> >> >> endpoint with a service parameter. >> >> On Wednesday, November 15, 2023 at 4:44:19 PM UTC+3:30 Udo Einspanier >> wrote: >> >>> Thanks again. Agreed, that actually that looks like the redirect URI and >>> logout URI must match. >>> I found that the error in the logs appears not in the request to >>> /oidcLogout, but to /revoke. Our client revokes the access token it >>> received during login before sending the logout request, and that is where >>> the error happens. So probably it is not related to the redirect problem >>> (but still if you know why it happens would be good to know). >>> I attached the debug log output for the revoke and succeeding logout >>> request (replaced id_toke, access_token and host with dummy values). During >>> logout I see at least this line which sounds like the >>> post_logout_redirect_uri is fine: >>> >>> 2023-11-15T09:49:04,667Z [http-nio-8080-exec-1] DEBUG >>> o.a.c.o.w.c.l.OidcLogoutEndpointController:107 eup.sso.cas {"message": >>> "Requested logout URL [https://cas.server/profile] is authorized for >>> redirects"} >>> >>> Not sure what you mean with "if you send the request to default /logout >>> url". Shouldn't the OIDC logout request always be sent to the >>> end_session_endpoint >>> advertised in .well-known metadata? >>> >>> >>> On Tuesday, November 14, 2023 at 8:06:28 PM UTC+1 Meysam Shirazi wrote: >>> >>>> About the logoutUrl I said that based on this parts of code: >>>> [image: Untitled 2.png] >>>> The ticket catalog error needs more details, so set cas.log.level to >>>> debug or trace for more details. >>>> >>>> The configuration is *cas.logout.follow-service-redirects*, and the >>>> default value is false, but I think it's working if you send the request >>>> to >>>> default /logout url. >>>> On Tuesday, November 14, 2023 at 5:25:48 PM UTC+3:30 Udo Einspanier >>>> wrote: >>>> >>>>> I also tried to always redirect to the same URL using redirect-url in >>>>> the configuration, but this does not work eithr and shows the some logout >>>>> page as before: >>>>> >>>>> cas: >>>>> logout: >>>>> followServiceRedirects: false >>>>> removeDescendantTickets: true >>>>> redirect-url: "https://..."; >>>>> >>>>> >>>>> >>>>> On Friday, November 10, 2023 at 8:56:25 AM UTC+1 Meysam Shirazi wrote: >>>>> >>>>>> Hi Udo >>>>>> Change *cas.log.level* to *debug *or make org.apereo.cas.oidc log >>>>>> level to trace to see what happening. >>>>>> common reason is post_logout_redirect_uri does not match service, >>>>>> means post_logout_redirect_uri is not define as logoutUrl or matching >>>>>> service id in your service definition. >>>>>> >>>>>> >>>>>> On Friday, November 10, 2023 at 10:29:33 AM UTC+3:30 Udo Einspanier >>>>>> wrote: >>>>>> >>>>>>> Hi Meysam, >>>>>>> >>>>>>> thanks for the quick reply. Yes, id_token_hint is part of the URL, I >>>>>>> just left it out for brevity but should have included it. So here is >>>>>>> the >>>>>>> URL from CAS OIDC logout page with all parameters: >>>>>>> >>>>>>> >>>>>>> https://.../cas/oidc/oidcLogout?id_token_hint=...&post_logout_redirect_uri=https://... >>>>>>> >>>>>>> But still no redirect from CAS to post_logout_redirect_uri. >>>>>>> >>>>>>> Any other ideas? >>>>>>> >>>>>>> Thanks, >>>>>>> Udo >>>>>>> >>>>>>> On Friday, November 10, 2023 at 3:41:42 AM UTC+1 Meysam Shirazi >>>>>>> wrote: >>>>>>> >>>>>>>> It needs idToken in id_token_hint url parameters) that contains >>>>>>>> clientId, it can be the same id token that be retrieved in login >>>>>>>> process. >>>>>>>> On Thursday, November 9, 2023 at 4:20:04 PM UTC+3:30 Udo Einspanier >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> we have CAS 6.6 as OIDC provider. When our client initiates >>>>>>>>> logout, it goes to >>>>>>>>> https://.../cas/oidc/oidcLogout?post_logout_redirect_uri=https:/... >>>>>>>>> >>>>>>>>> In the YAML configuration we have: >>>>>>>>> >>>>>>>>> cas: >>>>>>>>> logout: >>>>>>>>> followServiceRedirects: true >>>>>>>>> removeDescendantTickets: true >>>>>>>>> >>>>>>>>> I would expect CAS to redirect to the URL in parameter >>>>>>>>> post_logout_redirect_uri, but instead >>>>>>>>> shows a logout page titled "Logout successful" where the user can >>>>>>>>> click on the logout URL >>>>>>>>> specified in the logout request. >>>>>>>>> Is there some additional setting required for OIDC, or are we >>>>>>>>> missing something to allow automatic >>>>>>>>> redirect without user interaction? >>>>>>>>> >>>>>>>>> Thanks and best regards, >>>>>>>>> Udo >>>>>>>>> >>>>>>>>> >>>>>>>>> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9bdb8643-9f45-4a81-a0f2-0b1463ae4122n%40apereo.org.
