Hi, Thanks for retrying. About version, it was a typo. I am noodling with a
snapshot of V7sometimes but this was indeed running with 6.6.10. Your
configuration directives helped me realize we never used "cas.server.scope" in
our config file, and this structure of variables looks clear and nice. So I
adopted it and for some unknown reason, I had the idea of removing the "s" from
the protocol in "cas.server.name" as there is no TLS on "appserver". And guess
what ... it worked, I know have a login flow with login and authorization.
But honestly, the error message was not giving any clue ! What
"authentication profile" is it about ? The oAuth2 part of OIDC, unavailable
because the OIDC issuer could not be reached because the issuer URL is bad ?
The relevant code in
"support/cas-server-support-oauth-core-api/src/main/java/org/apereo/cas/support/oauth/web/endpoints/OAuth20AuthorizeEndpointController.java"
did not give me any clear explanation, only guesses : protected ModelAndView
redirectToCallbackRedirectUrl(final ProfileManager manager,
final OAuthRegisteredService registeredService,
final JEEContext context) {
val profile = manager.getProfile().orElseThrow(() -> new
IllegalArgumentException("Unable to locate authentication profile"));
val service = getConfigurationContext().getAuthenticationBuilder()
.buildService(registeredService, context, false);
LOGGER.trace("Created service [{}] based on registered service [{}]", service,
registeredService); Anyway, I was able to make one step forward, thank you
very much. Regards
Le 18-Jan-2024 21:32:30 +0100, [email protected] a crit:
Let us try this again. Cas does not need to know about appserver.my.domain;
only HAProxy needs this. cas.server.scope=public.my.domain
cas.server.name=https://${cas.server.scope}
cas.server.prefix=${cas.server.name}/cas
cas.authn.oidc.core.issuer=${cas.server.prefix}/oidc Are you missing this
config item (if missing, it should not be related to this problem):
cas.authn.oauth.access-token.crypto.signing.key Your title says cas 7 but
your log says 6.6. Could there be a library conflict? Ray On Wed,
2024-01-17 at 11:10 +0100, spfma.tech via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information. Hi, I am
trying to setup OIDC module, and I experience some problems. My CAS server
(let's name it "appserver.my.domain") is running on port 8080, with HAProxy
exposing public URLs (let's name it "public.my.domain"). So after rebuilding
the webapp including "org.apereo.cas:cas-server-support-oidc", I have added the
following lines to my working "cas.properties" :
cas.authn.oauth.crypto.encryption.key=0ZJCKvFSVO6PUKlzUqWzE5eXDerK_T7G1oSfGHfaAGM
cas.authn.oauth.crypto.signing.key=_d6j3pacsAy_V7WP55RB-H0HtwfSawKav6aV8rUPuRPBDqDhAeJXpqjrtZwqTiUPkNOz2jcb5nLqJJ73ygqROw
cas.authn.oauth.access-token.crypto.encryption.key=8wK97XDbYzeDhSzZgfcFWp3SHW_Lr-h69cGtWYZjJz0
cas.authn.oidc.core.issuer=https://public.my.domain/cas/oidc
cas.authn.oidc.core.accepted-issuers-pattern=http:\/\/.* The last line is the
only syntax I have found accepting both "https://public.my.domain/cas/oidc"; and
"http://appserver.my.domain:8080/cas/oidc"; as valid issuers, otherwise requests
are denied. Is it Ok ? Then I have then added a basic servcice : {
"@class" : "org.apereo.cas.services.OidcRegisteredService",
"scopes" : [ "java.util.HashSet", [ "profile", "openid", "email" ] ],
"clientId": "client",
"clientSecret": "secret",
"serviceId" : "http://localhost:8080/(.*)",
"name" : "test",
"id" : 2,
"idTokenIssuer": "https://public.my.domain/cas/oidc";
} It seems to be working : 2024-01-17 11:04:01,722 DEBUG
[org.apereo.cas.services.resource.AbstractResourceBasedServiceRegistry] -
2024-01-17 11:04:01,722 DEBUG
[org.apereo.cas.services.resource.AbstractResourceBasedServiceRegistry] -
2024-01-17 11:04:01,722 DEBUG
[org.apereo.cas.oidc.services.OidcServiceRegistryListener] -
2024-01-17 11:04:01,722 DEBUG
[org.apereo.cas.oidc.services.OidcServiceRegistryListener] -
2024-01-17 11:04:01,722 DEBUG
[org.apereo.cas.oidc.services.OidcServiceRegistryListener] - The RP is a
Docker image I have found here :
https://hub.docker.com/r/leplusorg/openid-connect-provider-debugger When I
try to reach the app's main URL (http://localhost:8080/), I am redirected to
CAS but I get the follwing exception : "java.lang.IllegalArgumentException:
Unable to locate authentication profile" And on server side : 2024-01-17
11:03:48,217 DEBUG [org.springframework.security.web.FilterChainProxy] -
2024-01-17 11:03:48,217 DEBUG
[org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping]
-
2024-01-17 11:03:48,218 DEBUG
[org.springframework.security.web.FilterChainProxy] -
2024-01-17 11:03:48,218 DEBUG
[org.springframework.web.servlet.DispatcherServlet] -
2024-01-17 11:03:48,218 DEBUG
[org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping]
-
2024-01-17 11:03:48,220 DEBUG
[org.apereo.cas.web.FlowExecutionExceptionResolver] -
2024-01-17 11:03:48,220 DEBUG
[org.apereo.cas.web.FlowExecutionExceptionResolver] -
at
org.apereo.cas.oidc.web.controllers.authorize.OidcAuthorizeEndpointController.handleRequest(OidcAuthorizeEndpointController.java:58)
~[cas-server-support-oidc-core-api-6.6.10.jar!/:6.6.10] Can someone tell me
what this error clearly means ? I had a look at the source code, but found
nothing obvious. Is there something wrong or missing with the configuration
above ? Thanks for any kind of help Regards
-------------------------------------------------------------------------------------------------
FreeMail powered by mail.fr
-------------------------------------------------------------------------------------------------
FreeMail powered by mail.fr
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/29c437da7d1cd386420055465a75cec3d079f1a8%40mail.de.
