Slightly off-topic, but in the same vein: We are also in a rush to get to 7.3.x and with the deprecation of the cas.authn.oauth.session-replication.cookie.* settings we are testing with the "cas-server-support-session-ticket-registry" dependency to handle OIDC auth across multiple nodes. However we are seeing strange looping behavior during login and the logs of CAS still seem to want to generate the oauth session-replication cookie keys -- ultimately it doesn't seem to be as easy of a solution as flipping on the new support-session-ticket-registry...
We might also look at keeping the deprecated settings around for now. On Tuesday, January 13, 2026 at 8:53:19 AM UTC-8 Jonathon Taylor wrote: > I believe the intention is for this added dependency to handle it: > > > https://apereo.github.io/cas/7.3.x/webflow/Webflow-Customization-Sessions-ServerSide-TicketRegistry.html > > I did try it with 7.3.x and I was still seeing the LocalStorage redirect > so I opted to keep the deprecated settings for now since we are rushing to > upgrade to 7.3. If you are able to test that and have different results > please let me know! > > On Sat, Jan 10, 2026 at 8:18 AM Derek Badge <[email protected]> wrote: > >> And cas.authn.mfa.duo[0].session-storage-type=TICKET_REGISTRY is >> deprecated now, anyone have eyes on what is supposed to fix this when this >> is removed? >> >> On Tuesday, June 3, 2025 at 2:24:30 PM UTC-4 Mike Osterman wrote: >> >>> For the next person encountering this, adding the actual error message >>> to the thread we were seeing so it will show up in search: >>> >>> *Unable to proceed to the next step* >>> >>> *TypeError: Cannot read properties of null (reading 'removeltem')* >>> >>> >>> Thanks, >>> >>> Mike >>> >>> On Fri, Apr 11, 2025 at 9:52 AM 'Mark Oliver' via CAS Community < >>> [email protected]> wrote: >>> >>>> That's a great find! Thanks for sharing that and testing it out. I'll >>>> be watching out for the new release :-) >>>> >>>> Cheers. >>>> Mark >>>> >>>> On Fri, 11 Apr 2025 at 01:30, Jonathon Taylor <[email protected]> >>>> wrote: >>>> >>>>> I can confirm that this fixed my issue with our Palo Alto Global >>>>> Protect VPN client, which requires the Android WebView. I do not have a >>>>> way to test the Gmail app in my QA environment but I suspect it will be >>>>> the >>>>> same. >>>>> >>>>> Thanks Misagh if you are reading this. Hopefully this can be >>>>> backported into the 7.2 branch :-) >>>>> >>>>> On Thu, Apr 10, 2025 at 4:24 PM Jonathon Taylor <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi All, >>>>>> >>>>>> There appears to be a potential solution for this being worked on in >>>>>> the 7.3.0-SNAPSHOT version of CAS. The commit is here: >>>>>> >>>>>> >>>>>> https://github.com/apereo/cas/commit/bf27b046e43029666dea64aba1a866bb67c010e9 >>>>>> >>>>>> I just tested this by changing my 7.2.1-SNAPSHOT build to >>>>>> 7.3.0-SNAPSHOT. You can then use this property: >>>>>> >>>>>> # This defaults to BROWSER_STORAGE >>>>>> cas.authn.mfa.duo[0].session-storage-type=TICKET_REGISTRY >>>>>> >>>>>> This appears to work and skips the interstitial pages that read/write >>>>>> from localstorage in the browser. I have not yet tested this for >>>>>> Android >>>>>> but will. >>>>>> >>>>>> On Thu, Apr 10, 2025 at 8:15 AM Jonathon Taylor <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Agreed. This does not just affect Gmail on Android, but also common >>>>>>> applications such as GlobalProtect VPN clients and I'm sure other >>>>>>> commonly >>>>>>> used software. I do appreciate the pull request and we will likely be >>>>>>> using the solution Mark posted. >>>>>>> >>>>>>> On Wed, Apr 2, 2025 at 4:50 AM David Gelhar <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi Mark, >>>>>>>> >>>>>>>> Thank you for posting that pull request. We have encountered >>>>>>>> similar problems since upgrading to CAS7 so your analysis (and >>>>>>>> workaround) >>>>>>>> is going to prove very helpful. >>>>>>>> >>>>>>>> The attitude of the CAS project around this issue is frankly >>>>>>>> incomprehensible. They have introduced a change that completely breaks >>>>>>>> authentication for a very significant user population (Gmail on an >>>>>>>> Andoid >>>>>>>> device is not exactly a "edge case"), and then declined to accept a >>>>>>>> fix >>>>>>>> because it would be "not worth maintaining". >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> David >>>>>>>> >>>>>>>> On Wednesday, March 12, 2025 at 9:00:46 AM UTC-4 Mark Oliver wrote: >>>>>>>> >>>>>>>>> Hi Jonathan, >>>>>>>>> >>>>>>>>> Unfortunately, that was a mistake on my part—a fix isn’t in the >>>>>>>>> mentioned file. >>>>>>>>> >>>>>>>>> I did submit a pull request for a fix here, but it was rejected >>>>>>>>> because it changed the core functionality of CAS, and the project >>>>>>>>> doesn’t >>>>>>>>> want to maintain that, which is fair enough: >>>>>>>>> https://github.com/apereo/cas/pull/6305 >>>>>>>>> >>>>>>>>> Going forward, we’re managing our own version of the file. Given >>>>>>>>> that, I’ve simplified it by solely relying on sessionStorage. >>>>>>>>> >>>>>>>>> Cheers, >>>>>>>>> Mark >>>>>>>>> On Thursday, 6 March 2025 at 13:52:01 UTC Jonathon Taylor wrote: >>>>>>>>> >>>>>>>>>> Hi Mark, >>>>>>>>>> >>>>>>>>>> We are running into this same issue. Would you mind pointing me >>>>>>>>>> to what in the master branch version resolved this issue for you? >>>>>>>>>> We are >>>>>>>>>> seeing the issue with 7.1.4 currently. >>>>>>>>>> >>>>>>>>>> On Thu, Jan 9, 2025 at 9:12 AM 'Mark Oliver' via CAS Community < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Thanks Ray, >>>>>>>>>>> >>>>>>>>>>> I was able to find the latest file on the master branch which >>>>>>>>>>> looks like it's been fixed: >>>>>>>>>>> >>>>>>>>>>> https://github.com/apereo/cas/blob/master/support/cas-server-support-thymeleaf/src/main/resources/static/js/cas.js >>>>>>>>>>> >>>>>>>>>>> Cheers. >>>>>>>>>>> Mark >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Tuesday, 7 January 2025 at 06:26:59 UTC Ray Bon wrote: >>>>>>>>>>> >>>>>>>>>>>> Mark, >>>>>>>>>>>> >>>>>>>>>>>> You can start with >>>>>>>>>>>> https://apereo.github.io/cas/developer/Contributor-Guidelines.html >>>>>>>>>>>> <https://apereo.github.io/cas/developer/Build-Process.html> >>>>>>>>>>>> >>>>>>>>>>>> Ray >>>>>>>>>>>> >>>>>>>>>>>> On Mon, 2025-01-06 at 06:30 -0800, 'Mark Oliver' via CAS >>>>>>>>>>>> Community wrote: >>>>>>>>>>>> >>>>>>>>>>>> Hello, >>>>>>>>>>>> >>>>>>>>>>>> We recently attempted to upgrade our CAS installation from 6.6 >>>>>>>>>>>> to 7.x and encountered a blocking issue with Android’s embedded >>>>>>>>>>>> WebView >>>>>>>>>>>> (specifically in the Gmail app). >>>>>>>>>>>> >>>>>>>>>>>> In CAS 7.x, the default src/main/static/js/cas.js file appears >>>>>>>>>>>> to rely more heavily on localStorage. However, the Gmail app’s >>>>>>>>>>>> built-in >>>>>>>>>>>> WebView which is used for registering an account does not properly >>>>>>>>>>>> support >>>>>>>>>>>> localStorage. This leads to errors in the authentication flow, >>>>>>>>>>>> causing the >>>>>>>>>>>> WebView browser to hang after CAS credentials are submitted. In >>>>>>>>>>>> CAS 6.6, >>>>>>>>>>>> the code primarily used sessionStorage, and this issue never arose. >>>>>>>>>>>> >>>>>>>>>>>> To work around the problem, I’ve updated cas.js so that it >>>>>>>>>>>> first checks if localStorage is available, and if not, it falls >>>>>>>>>>>> back to an >>>>>>>>>>>> in-memory object or to sessionStorage. This resolves the problem >>>>>>>>>>>> for our >>>>>>>>>>>> users. >>>>>>>>>>>> >>>>>>>>>>>> - So firstly is this a known issue, as of 7.1.3 that issue >>>>>>>>>>>> still remains. >>>>>>>>>>>> - If a fix is welcome, where should I submit a pull request for >>>>>>>>>>>> the src/main/static/js/cas.js file? >>>>>>>>>>>> >>>>>>>>>>>> Cheers. >>>>>>>>>>>> Mark >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>> - Website: https://apereo.github.io/cas >>>>>>>>>>> - List Guidelines: https://goo.gl/1VRrw7 >>>>>>>>>>> - Contributions: https://goo.gl/mh7qDG >>>>>>>>>>> --- >>>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>>> Google Groups "CAS Community" group. >>>>>>>>>>> To unsubscribe from this group and stop receiving emails from >>>>>>>>>>> it, send an email to [email protected]. >>>>>>>>>>> To view this discussion visit >>>>>>>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/0f4c6d2c-a7b3-461f-9dee-d448da800e8bn%40apereo.org >>>>>>>>>>> >>>>>>>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/0f4c6d2c-a7b3-461f-9dee-d448da800e8bn%40apereo.org?utm_medium=email&utm_source=footer> >>>>>>>>>>> . >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Jonathon Taylor (he/him) >>>>>>>>>> Information Security Office >>>>>>>>>> [email protected] >>>>>>>>>> >>>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Jonathon Taylor (he/him) >>>>>>> Information Security Office >>>>>>> [email protected] >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Jonathon Taylor (he/him) >>>>>> Information Security Office >>>>>> [email protected] >>>>>> >>>>> >>>>> >>>>> -- >>>>> Jonathon Taylor (he/him) >>>>> Information Security Office >>>>> [email protected] >>>>> >>>> >>>> >>>> -- >>>> >>>> Mark Oliver, >>>> Snr DevOps Engineer, >>>> Internet Systems, >>>> IT Services, The University of Sheffield. >>>> Tel: +44 114 22 21144 >>>> >>>> -- >>>> - Website: https://apereo.github.io/cas >>>> - List Guidelines: https://goo.gl/1VRrw7 >>>> - Contributions: https://goo.gl/mh7qDG >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "CAS Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> >>> To view this discussion visit >>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALb7P%3Dqs4OS%3Dhpd%3Dn5B6iMJmAr6py5xJRmJWoOR_H21kkb5kUg%40mail.gmail.com >>>> >>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALb7P%3Dqs4OS%3Dhpd%3Dn5B6iMJmAr6py5xJRmJWoOR_H21kkb5kUg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> > > -- > Jonathon Taylor (he/him) > Information Security Office > [email protected] > -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/82ec222b-c2b0-4158-85aa-d7ada08ff2c2n%40apereo.org.
