Hello, I'm currently upgrading my CAS from 7.2 to 7.3. I have an regression on my PAC4j delegated OIDC.
Did anyone experienced this issue or is aware of changes on 7.3 ? I did'nt see linked changes on CAS 7.3 RC's changelog Thanks :) 2026-02-19 11:16:56,739 DEBUG [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationRedirectAction] - <Redirecting client [FranceConnect] based on identifier [TST-1-****************TBp-pP6-7f3c2b761bc8]> 2026-02-19 11:16:56,740 DEBUG [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationRedirectAction] - <Redirecting to [https://fcp-low.integ01.dev-franceconnect.fr/api/v2/authorize?scope=openid%20given_name%20family_name%20birthdate%20birthplace%20birthcountry%20preferred_username&acr_values=eidas1&claims=%7B%22id_token%22%3A%7B%22amr%22%3A%7B%22essential%22%3Atrue%7D%7D%7D&response_type=code&redirect_uri=https%3A%2F%2Fcas-dev.fqdn.fr%2Fcas%2Flogin%2FFranceConnect&state=12345&nonce=6789] via client [FranceConnect]> // LOGIN // 2026-02-19 11:17:08,596 DEBUG [org.apereo.cas.web.flow.controller.DefaultDelegatedAuthenticationNavigationController] - <Received response from client [FranceConnect]; Redirecting to [https://cas-dev.fqdn.fr/cas/login?code=oBJ74fVZvkezMQSdu5L7NNVUoJwhgcwzZlOOryIEMXg&state=999&iss=https%3A%2F%2Ffcp-low.integ01.dev-franceconnect.fr%2Fapi%2Fv2&client_name=FranceConnect]> *2026-02-19 11:17:08,667 DEBUG [org.apereo.cas.web.flow.CasFlowHandlerMapping] - <Mapped to [FlowHandlerMapping.DefaultFlowHandler@24f51b6c]>2026-02-19 11:17:08,672 DEBUG [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] - <Located delegated client identifier []>2026-02-19 11:17:08,672 INFO [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] - <Delegated client identifier [] is undefined in request URL [https://cas-dev.fqdn.fr/cas/login?code=oBJ74fVZvkezMQSdu5L7NNVUoJwhgcwzZlOOryIEMXg&state=999&iss=https%3A%2F%2Ffcp-low.integ01.dev-franceconnect.fr%2Fapi%2Fv2&client_name=FranceConnect]>2026-02-19 11:17:08,673 DEBUG [org.apereo.cas.authentication.principal.DefaultDelegatedAuthenticationCredentialExtractor] - <Fetching credentials from delegated client [OidcClient(super=IndirectClient(super=BaseClient(name=FranceConnect, authorizationGenerators=[],* credentialsExtractor=org.pac4j.oidc.credentials.extractor.OidcCredentialsExtractor@6fae47b2, authenticator=org.pac4j.oidc.credentials.authenticator.OidcAuthenticator@419b23f3, profileCreator=InitializableObject(initialized=false, maxAttempts=3, nbAttempts=0, lastAttempt=null, minTimeIntervalBetweenAttemptsInMilliseconds=5000), customProperties={autoRedirectType=NONE, cssClass=franceconnect, displayName=Se connecter avec France Connect}, profileFactoryWhenNotAuthenticated=null, multiProfile=false, saveProfileInSession=true, config=null), callbackUrl=https://cas-dev.fqdn.fr/cas/login, urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@61f7cde6, callbackUrlResolver=org.pac4j.core.http.callback.PathParameterCallbackUrlResolver@42780018, ajaxRequestResolver=org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@f94a4b5, redirectionActionBuilder=org.pac4j.oidc.redirect.OidcRedirectionActionBuilder@71eb34d1, logoutProcessor=org.pac4j.oidc.logout.processor.OidcLogoutProcessor@2e2c5ff7, logoutActionBuilder=org.pac4j.oidc.logout.OidcLogoutActionBuilder@2cd6e2ea, checkAuthenticationAttempt=true), configuration=OidcConfiguration(clientId=377f9c3fd633bb7f85362d6b97aea642101916336709c051c3d0816fd83e4e0e, discoveryURI=https://fcp-low.integ01.dev-franceconnect.fr/api/v2/.well-known/openid-configuration, scope=openid,given_name,family_name,birthdate,birthplace,birthcountry,preferred_username, customParams={claims={"id_token": {"amr": {"essential": true } } }, acr_values=eidas1}, clientAuthenticationMethod=null, supportedClientAuthenticationMethods=null, privateKeyJWTClientAuthnMethodConfig=null, useNonce=true, disablePkce=true, pkceMethod=null, preferredJwsAlgorithm=ES256, maxAge=null, maxClockSkew=5, resourceRetriever=org.pac4j.oidc.config.OidcConfiguration$OidcResourceRetriever@6cd4ac9, responseType=code, responseMode=null, logoutUrl=null, connectTimeout=5000, readTimeout=5000, withState=true, mappedClaims={}, stateGenerator=org.pac4j.core.util.generator.RandomValueGenerator@2ea8bb7d, codeVerifierGenerator=org.pac4j.core.util.generator.RandomValueGenerator@62378ab8, valueRetriever=org.pac4j.oidc.util.SessionStoreValueRetriever@79edf5a6, expireSessionWithToken=false, tokenExpirationAdvance=0, allowUnsignedIdTokens=false, includeAccessTokenClaimsInProfile=false, sslSocketFactory=sun.security.ssl.SSLSocketFactoryImpl@188d92f9, callUserInfoEndpoint=true, hostnameVerifier=org.apache.hc.client5.http.ssl.DefaultHostnameVerifier@151a6350, opMetadataResolver=InitializableObject(initialized=true, maxAttempts=3, nbAttempts=1, lastAttempt=1771499816004, minTimeIntervalBetweenAttemptsInMilliseconds=5000), logoutValidation=true))]> 2026-02-19 11:17:08,676 DEBUG [org.pac4j.oidc.credentials.extractor.OidcCredentialsExtractor] - <Authentication response successful> 2026-02-19 11:17:08,780 DEBUG [org.pac4j.core.resource.SpringResourceLoader] - <lastModified: 0 / newLastModified: 0 -> hasChanged: false> 2026-02-19 11:17:08,781 DEBUG [org.pac4j.oidc.client.OidcClient] - <no credentials and profile returned -> remember the authentication attempt> 2026-02-19 11:17:08,781 DEBUG [org.pac4j.oidc.client.OidcClient] - <save authentication attempt in session> 2026-02-19 11:17:08,781 DEBUG [org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - <Putting ticket [TST-844ad5a8-c34c-46ef-9dc0-dd2242cfa147] in registry.> 2026-02-19 11:17:08,784 WARN [org.apereo.cas.util.function.FunctionUtils] - <State cannot be determined> org.pac4j.oidc.exceptions.OidcMissingSessionStateException: State cannot be determined at org.pac4j.oidc.credentials.extractor.OidcCredentialsExtractor.lambda$extract$0(OidcCredentialsExtractor.java:141) at java.base/java.util.Optional.orElseThrow(Optional.java:403) at org.pac4j.oidc.credentials.extractor.OidcCredentialsExtractor.extract(OidcCredentialsExtractor.java:141) at org.pac4j.core.client.BaseClient.getCredentials(BaseClient.java:80) at org.apereo.cas.authentication.principal.DefaultDelegatedAuthenticationCredentialExtractor.lambda$getCredentialsFromDelegatedClient$2(DefaultDelegatedAuthenticationCredentialExtractor.java:50) at org.apereo.cas.util.function.FunctionUtils.lambda$doAndHandle$12(FunctionUtils.java:425) at org.apereo.cas.authentication.principal.DefaultDelegatedAuthenticationCredentialExtractor.getCredentialsFromDelegatedClient(DefaultDelegatedAuthenticationCredentialExtractor.java:54) at org.apereo.cas.authentication.principal.DefaultDelegatedAuthenticationCredentialExtractor.extract(DefaultDelegatedAuthenticationCredentialExtractor.java:30) at org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.lambda$populateContextWithClientCredential$6(DelegatedClientAuthenticationAction.java:255) at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197) at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:179) at java.base/java.util.AbstractList$RandomAccessSpliterator.tryAdvance(AbstractList.java:708) at java.base/java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:129) at java.base/java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:527) at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:513) at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499) at java.base/java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:150) at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) at java.base/java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:647) Actual working flow on 7.2 2026-02-19 11:09:55,610 DEBUG [org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - <Putting ticket [TST-dbf06ff0-3d72-46e3-9f71-4d848732222b] in registry.> 2026-02-19 11:09:55,610 DEBUG [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] - <Located delegated client identifier [TST-1-****************I1iEQpe-9aae8cc0bfc1]> 2026-02-19 11:09:55,611 DEBUG [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] - <Located delegated authentication client identifier as [TST-1-****************I1iEQpe-9aae8cc0bfc1]> 2026-02-19 11:09:55,611 DEBUG [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] - <Removing delegated client identifier [TST-1-****************I1iEQpe-9aae8cc0bfc1] from registry> 2026-02-19 11:09:55,612 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ced60153-6b37-4080-913a-dc087f77d1a7n%40apereo.org.
