Pierre, The redirect_uri in your POST is double encoded; not sure if this matters.
My test client (using pac4j) sends this GET: https://local.uvic.ca/cas/oidc/oidcAuthorize?scope=openid+profile+email+eduPersonScope+uvicEduPersonScope&response_type=code&redirect_uri=https%3A%2F%2Fdemocasclientlocal.uvic.ca%2Fdemocasclient%2Fcallback%3Fclient_name%3DOidcClient&state=e4907347ec&code_challenge_method=S256&nonce=ZzgzCKo68-yeB0ZPVSYEBKWCmtnQCJp2Hb0-MAvuElI&client_id=tZzif5NfwfBS9enpN0nqXceBSdcYgxw3fw3w&code_challenge=by0F5GcJkfgLd-BjCo9RavOOrqJYNJ3qFS05hjlgb6s My only POST is the login form submission. Ray On Fri, 2024-11-22 at 05:13 -0800, Pierre Driutti wrote: You don't often get email from [email protected]. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Hello, I am using a test CAS 7.1.1 server running inside docker, using the below settings: info: description: CAS Configuration cas: service-registry: core: init-from-json: true json: location: file:/etc/cas/services http-web-request: cors: enabled: false server: name:http://cas:cas_port prefix:http://cas:cas_port/cas authn: accept: enabled: false authentication-attribute-release: enabled: true attribute-repository: ldap[0]: bind-dn: cn=rouser,dc=atih,dc=sante,dc=fr bind-credential: ldap_rouser_password base-dn: ou=agents,dc=atih,dc=sante,dc=fr search-filter: uid={user} ldap-url:ldap://openldap:ldap_port allow-multiple-entries: true ldap[0]: bind-dn: cn=admin,dc=atih,dc=sante,dc=fr bind-credential: ldap_admin_password base-dn: ou=agents,dc=atih,dc=sante,dc=fr search-filter: uid={user} password-encoder: type: NONE ldap-url:ldap://openldap:ldap_port use-start-tls: false type: AUTHENTICATED oauth: access-token: crypto: signing: key: 8PdeTwu4j0thSopZgFvg-oa5GR8GBTzzcmiIMo7Vh0EmoVdWK5yRw4U7bWyOFdI53CU0exVZQCtQlLwMWaJ_og encryption: key: JzJ51l362rOPDZLwhtRY3p0SJUUx5sf8ZEDAKDIkdeY crypto: signing: key: meT8P7qpaN6bH3Bq-MsbMYQEL0iwZirR-XE-WAJFJHWfFsEOWq57sOfeG5DJXkBIdjd5RfRT3jX6QCOAkrh99g encryption: key: R3i5XWWsA9WWFhLkkQFGaOprYeYt8FGTbiTmgQkkmxEv6wbN-9YUjiPkM0Gezw_T377ORjM31JG0QNkLwXA8PQ session-replication: cookie: crypto: signing: key: 8C59Wtz_K_NKozYZ7G5fBZ83II0MBBI702ZmEqdOzXIPAI5B1MDUSVmm8w4YYzaBRjsGwG9fZBPWf-JS4yW_QQ encryption: key: 50kNxo6EKFQk9KOUAm0UXWhS-52Xtw_yWatSRkBT3GVzvS5cCPr3VH9_TmyJu91isRTjc2fjEiAD0idV00CBLQ oidc: core: issuer:http://cas:cas_port/cas/oidc discovery: grant-types-supported: - authorization_code - "urn:ietf:params:oauth:grant-type:uma-ticket" - "urn:ietf:params:oauth:grant-type:token-exchange" - "urn:ietf:params:oauth:grant-type:device-code" - refresh_token token-endpoint-auth-methods-supported: client_secret_basic introspection-supported-authentication-methods: client_secret_basic response-types-supported: - code - token - id_token - id_token token - device_code prompt-values-supported: - none - login - consent logout: followServiceRedirects: true redirectParameter: service confirmLogout: true slo: disabled: false monitor: endpoints: endpoint: defaults: access: ANONYMOUS ticket: st: time-to-kill-in-seconds: PT3600S server: port: cas_port ssl: enabled: false keyStore: file:/etc/cas/thekeystore keyStorePassword: changeit keyPassword: changeit servlet: context-path: /cas # logging: level: org.apereo.cas: DEBUG org.springframework: INFO management: endpoints: web: exposure: include: "*" enabled-by-default: true security: enabled: false I am trying to contact it using OIDC. As such, I’ve defined statically an OidcRegisteredService as follows: { "@class":"org.apereo.cas.services.OidcRegisteredService", "serviceId":"^https?://oidc-client-demo.*", "name":"OIDC Client Example", "id":10, "evaluationOrder":10, "clientId":"demo-client", "clientSecret":"demo-client-secret", "signIdToken":false, "encryptIdToken":false, "bypassApprovalPrompt":false, "supportedGrantTypes":["java.util.HashSet",["authorization_code"]], "supportedResponseTypes":["java.util.HashSet",["code"]], "supportedPromptValues":["java.util.HashSet",["consent"]], "scopes":["java.util.HashSet",["openid","profile","email","address","phone"]], "attributeReleasePolicy":{ "@class":"org.apereo.cas.services.ReturnAllAttributeReleasePolicy" } } However, my oidc client fails to work with it. When it send an authentication request, I am prompted to enter credentials in a browser. Then, the following POST request is sent to my CAS server, POST /cas/login?service=http%3A%2F%2Fcas%3A8080%2Fcas%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3Ddemo-client%26scope%3Dopenid%2520profile%2520email%26redirect_uri%3Dhttp%253A%252F%252Foidc-client-demo%252Fanything%252Fcallback%26re, The authentication is successful, but then I do not see any approval popup being displayed, nor can I see in network traces that when it reaches my setup redirect_uri any parameters are provided. [image.png] Thus, the process fails at this point… Would you know if I did something wrong while setting up my CAS server and service ? Of course, in the CAS logs, I cannot see any error message during the process of the request… Thanks in advance Best regards, Pierre -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/425834a5514597cb3f844783661d967b24a660de.camel%40uvic.ca.
