Hi, I am having the same problem, did you get a solution? thanks! On Monday, November 25, 2024 at 3:12:42 PM UTC+2 Pierre Driutti wrote:
> Hello Ray, > > I thank you for your reply. As a matter of fact, I also have a GET request > done to oidcAuthorize before I authenticate through the POST login > request... > > The issue I described occurs after the login is made, while the grants are > checked on the CAS side. All grants are OK, I just don't have any parameter > sent together with the redirect_uri... > > Thanks in advance > > Best regards, > Pierre > Le ven. 22 nov. 2024 à 19:28, Ray Bon <[email protected]> a écrit : > >> Pierre, >> >> The redirect_uri in your POST is double encoded; not sure if this matters. >> >> My test client (using pac4j) sends this GET: >> >> https://local.uvic.ca/cas/oidc/oidcAuthorize?scope=openid+profile+email+eduPersonScope+uvicEduPersonScope&response_type=code&redirect_uri=https%3A%2F%2Fdemocasclientlocal.uvic.ca%2Fdemocasclient%2Fcallback%3Fclient_name%3DOidcClient&state=e4907347ec&code_challenge_method=S256&nonce=ZzgzCKo68-yeB0ZPVSYEBKWCmtnQCJp2Hb0-MAvuElI&client_id=tZzif5NfwfBS9enpN0nqXceBSdcYgxw3fw3w&code_challenge=by0F5GcJkfgLd-BjCo9RavOOrqJYNJ3qFS05hjlgb6s >> >> My only POST is the login form submission. >> >> Ray >> >> >> On Fri, 2024-11-22 at 05:13 -0800, Pierre Driutti wrote: >> >> You don't often get email from [email protected]. Learn why this is >> important <https://aka.ms/LearnAboutSenderIdentification> >> >> >> >> >> >> >> >> >> Hello, >> >> >> >> I am using a test CAS 7.1.1 server running inside docker, using the below >> settings: >> >> >> >> *info*: >> >> * description*: CAS Configuration >> >> >> >> *cas*: >> >> *service-registry*: >> >> * core*: >> >> * init-from-json*:* true* >> >> *json*: >> >> * location*: file:/etc/cas/services >> >> >> >> *http-web-request*: >> >> * cors*: >> >> * enabled*:* false* >> >> * server*: >> >> * name*:*http://cas:cas_port <http://cas:cas_port>* >> >> * prefix*:*http://cas:cas_port/cas <http://cas:cas_port/cas>* >> >> * authn*: >> >> * accept*: >> >> * enabled*:* false* >> >> * authentication-attribute-release*: >> >> * enabled*:* true* >> >> * attribute-repository*: >> >> * ldap[0]*: >> >> * bind-dn*: cn=rouser,dc=atih,dc=sante,dc=fr >> >> * bind-credential*: ldap_rouser_password >> >> *base-dn*: ou=agents,dc=atih,dc=sante,dc=fr >> >> *search-filter*: uid={user} >> >> * ldap-url*:*ldap://openldap:ldap_port* >> >> * allow-multiple-entries*:* true* >> >> *ldap[0]*: >> >> * bind-dn*: cn=admin,dc=atih,dc=sante,dc=fr >> >> * bind-credential*: ldap_admin_password >> >> *base-dn*: ou=agents,dc=atih,dc=sante,dc=fr >> >> *search-filter*: uid={user} >> >> * password-encoder*: >> >> * type*: NONE >> >> * ldap-url*:*ldap://openldap:ldap_port* >> >> * use-start-tls*:* false* >> >> * type*: AUTHENTICATED >> >> * oauth*: >> >> * access-token*: >> >> * crypto*: >> >> * signing*: >> >> * key*: 8PdeTwu4j0thSopZgFvg-oa5GR8GBTzzcmiIMo7Vh0EmoVdWK5y >> Rw4U7bWyOFdI53CU0exVZQCtQlLwMWaJ_og >> >> * encryption*: >> >> * key*: JzJ51l362rOPDZLwhtRY3p0SJUUx5sf8ZEDAKDIkdeY >> >> * crypto*: >> >> * signing*: >> >> * key*: meT8P7qpaN6bH3Bq-MsbMYQEL0iwZirR-XE- >> WAJFJHWfFsEOWq57sOfeG5DJXkBIdjd5RfRT3jX6QCOAkrh99g >> >> * encryption*: >> >> * key*: R3i5XWWsA9WWFhLkkQFGaOprYeYt8FGTbiTmgQkkmxEv6wbN- >> 9YUjiPkM0Gezw_T377ORjM31JG0QNkLwXA8PQ >> >> * session-replication*: >> >> * cookie*: >> >> * crypto*: >> >> * signing*: >> >> * key*: 8C59Wtz_K_NKozYZ7G5fBZ83II0MBBI702ZmEqdO >> zXIPAI5B1MDUSVmm8w4YYzaBRjsGwG9fZBPWf-JS4yW_QQ >> >> * encryption*: >> >> * key*: 50kNxo6EKFQk9KOUAm0UXWhS-52Xtw_ >> yWatSRkBT3GVzvS5cCPr3VH9_TmyJu91isRTjc2fjEiAD0idV00CBLQ >> >> * oidc*: >> >> * core*: >> >> * issuer*:*http://cas:cas_port/cas/oidc >> <http://cas:cas_port/cas/oidc>* >> >> * discovery*: >> >> * grant-types-supported*: >> >> - authorization_code >> >> - "urn:ietf:params:oauth:grant-type:uma-ticket" >> >> - "urn:ietf:params:oauth:grant-type:token-exchange" >> >> - "urn:ietf:params:oauth:grant-type:device-code" >> >> - refresh_token >> >> * token-endpoint-auth-methods-supported*: client_secret_basic >> >> * introspection-supported-authentication-methods*: >> client_secret_basic >> >> * response-types-supported*: >> >> - code >> >> - token >> >> - id_token >> >> - id_token token >> >> - device_code >> >> * prompt-values-supported*: >> >> - none >> >> - login >> >> - consent >> >> >> >> * logout*: >> >> * followServiceRedirects*:* true* >> >> * redirectParameter*: service >> >> * confirmLogout*:* true* >> >> * slo*: >> >> * disabled*:* false* >> >> * monitor*: >> >> * endpoints*: >> >> * endpoint*: >> >> * defaults*: >> >> * access*: ANONYMOUS >> >> >> >> * ticket*: >> >> * st*: >> >> * time-to-kill-in-seconds*: PT3600S >> >> >> >> *server*: >> >> * port*: cas_port >> >> * ssl*: >> >> *enabled*:* false* >> >> * keyStore*: file:/etc/cas/thekeystore >> >> * keyStorePassword*: changeit >> >> * keyPassword*: changeit >> >> * servlet*: >> >> * context-path*: /cas >> >> # >> >> *logging*: >> >> * level*: >> >> * org.apereo.cas*: DEBUG >> >> * org.springframework*: INFO >> >> >> >> *management*: >> >> * endpoints*: >> >> * web*: >> >> * exposure*: >> >> * include*: "*" >> >> * enabled-by-default*:* true* >> >> * security*: >> >> *enabled*:* false* >> >> >> >> >> >> >> >> I am trying to contact it using OIDC. As such, I’ve defined statically an >> OidcRegisteredService as follows: >> >> >> >> *{* >> >> "@class"*:*"org.apereo.cas.services.OidcRegisteredService"*,* >> >> "serviceId"*:*"^https?://oidc-client-demo.*"*,* >> >> "name"*:*"OIDC Client Example"*,* >> >> "id"*:*10*,* >> >> "evaluationOrder"*:*10*,* >> >> "clientId"*:*"demo-client"*,* >> >> "clientSecret"*:*"demo-client-secret"*,* >> >> "signIdToken"*:**false**,* >> >> "encryptIdToken"*:**false**,* >> >> "bypassApprovalPrompt"*:**false**,* >> >> "supportedGrantTypes"*:**[*"java.util.HashSet"*,**[*"authorization_code" >> *]**],* >> >> "supportedResponseTypes"*:**[*"java.util.HashSet"*,**[*"code"*]**],* >> >> "supportedPromptValues"*:**[*"java.util.HashSet"*,**[*"consent"*]**],* >> >> "scopes"*:**[*"java.util.HashSet"*,**[*"openid"*,*"profile"*,*"email"*,* >> "address"*,*"phone"*]**],* >> >> "attributeReleasePolicy"*:**{* >> >> "@class"*:*"org.apereo.cas.services.ReturnAllAttributeReleasePolic >> y" >> >> *}* >> >> *}* >> >> >> >> However, my oidc client fails to work with it. >> >> >> >> When it send an authentication request, I am prompted to enter >> credentials in a browser. Then, the following POST request is sent to my >> CAS server, >> >> >> >> POST /cas/login?service=http%3A%2F%2Fcas%3A8080%2Fcas%2Foauth2.0% >> 2FcallbackAuthorize%3Fclient_id%3Ddemo-client%26scope% >> 3Dopenid%2520profile%2520email%26redirect_uri%3Dhttp%253A%252F%252Foidc- >> client-demo%252Fanything%252Fcallback%26re, >> >> >> >> The authentication is successful, but then I do not see any approval >> popup being displayed, nor can I see in network traces that when it reaches >> my setup redirect_uri any parameters are provided. >> >> >> [image: image.png] >> >> >> Thus, the process fails at this point… >> >> >> >> Would you know if I did something wrong while setting up my CAS server >> and service ? >> >> >> >> Of course, in the CAS logs, I cannot see any error message during the >> process of the request… >> >> >> >> Thanks in advance >> >> >> >> Best regards, >> >> >> Pierre >> >> >> -- >> - Website: https://apereo.github.io/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "CAS Community" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/a/apereo.org/d/topic/cas-user/Ra1X88kvSwE/unsubscribe >> . >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> To view this discussion visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/425834a5514597cb3f844783661d967b24a660de.camel%40uvic.ca >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/425834a5514597cb3f844783661d967b24a660de.camel%40uvic.ca?utm_medium=email&utm_source=footer> >> . >> > -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4d7c1fac-d360-4eec-9676-604f9785abb6n%40apereo.org.
