I found the commit which changed pac4j session behaviour: https://github.com/apereo/cas/commit/2fbee582903a60dcfd5522c95f50ab2e728d1312
Le jeudi 19 février 2026 à 13:27:33 UTC+1, Louis Chanouha a écrit : > Hello, > I'm currently upgrading my CAS from 7.2 to 7.3. > I have an regression on my PAC4j delegated OIDC. > > Did anyone experienced this issue or is aware of changes on 7.3 ? I did'nt > see linked changes on CAS 7.3 RC's changelog > > Thanks :) > > 2026-02-19 11:16:56,739 DEBUG > [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationRedirectAction] > - <Redirecting client [FranceConnect] based on identifier > [TST-1-****************TBp-pP6-7f3c2b761bc8]> > 2026-02-19 11:16:56,740 DEBUG > [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationRedirectAction] > - <Redirecting to [ > https://fcp-low.integ01.dev-franceconnect.fr/api/v2/authorize?scope=openid%20given_name%20family_name%20birthdate%20birthplace%20birthcountry%20preferred_username&acr_values=eidas1&claims=%7B%22id_token%22%3A%7B%22amr%22%3A%7B%22essential%22%3Atrue%7D%7D%7D&response_type=code&redirect_uri=https%3A%2F%2Fcas-dev.fqdn.fr%2Fcas%2Flogin%2FFranceConnect&state=12345&nonce=6789] > > via client [FranceConnect]> > // LOGIN // > 2026-02-19 11:17:08,596 DEBUG > [org.apereo.cas.web.flow.controller.DefaultDelegatedAuthenticationNavigationController] > > - <Received response from client [FranceConnect]; Redirecting to [ > https://cas-dev.fqdn.fr/cas/login?code=oBJ74fVZvkezMQSdu5L7NNVUoJwhgcwzZlOOryIEMXg&state=999&iss=https%3A%2F%2Ffcp-low.integ01.dev-franceconnect.fr%2Fapi%2Fv2&client_name=FranceConnect > ]> > > > > *2026-02-19 11:17:08,667 DEBUG > [org.apereo.cas.web.flow.CasFlowHandlerMapping] - <Mapped to > [FlowHandlerMapping.DefaultFlowHandler@24f51b6c]>2026-02-19 11:17:08,672 > DEBUG > [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] > - <Located delegated client identifier []>2026-02-19 11:17:08,672 INFO > [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] > - <Delegated client identifier [] is undefined in request URL > [https://cas-dev.fqdn.fr/cas/login?code=oBJ74fVZvkezMQSdu5L7NNVUoJwhgcwzZlOOryIEMXg&state=999&iss=https%3A%2F%2Ffcp-low.integ01.dev-franceconnect.fr%2Fapi%2Fv2&client_name=FranceConnect > > <https://cas-dev.fqdn.fr/cas/login?code=oBJ74fVZvkezMQSdu5L7NNVUoJwhgcwzZlOOryIEMXg&state=999&iss=https%3A%2F%2Ffcp-low.integ01.dev-franceconnect.fr%2Fapi%2Fv2&client_name=FranceConnect>]>2026-02-19 > > 11:17:08,673 DEBUG > [org.apereo.cas.authentication.principal.DefaultDelegatedAuthenticationCredentialExtractor] > > - <Fetching credentials from delegated client > [OidcClient(super=IndirectClient(super=BaseClient(name=FranceConnect, > authorizationGenerators=[],* > credentialsExtractor=org.pac4j.oidc.credentials.extractor.OidcCredentialsExtractor@6fae47b2, > > authenticator=org.pac4j.oidc.credentials.authenticator.OidcAuthenticator@419b23f3, > > profileCreator=InitializableObject(initialized=false, maxAttempts=3, > nbAttempts=0, lastAttempt=null, > minTimeIntervalBetweenAttemptsInMilliseconds=5000), > customProperties={autoRedirectType=NONE, cssClass=franceconnect, > displayName=Se connecter avec France Connect}, > profileFactoryWhenNotAuthenticated=null, multiProfile=false, > saveProfileInSession=true, config=null), callbackUrl= > https://cas-dev.fqdn.fr/cas/login, > urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@61f7cde6, > callbackUrlResolver=org.pac4j.core.http.callback.PathParameterCallbackUrlResolver@42780018, > > ajaxRequestResolver=org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@f94a4b5, > > redirectionActionBuilder=org.pac4j.oidc.redirect.OidcRedirectionActionBuilder@71eb34d1, > > logoutProcessor=org.pac4j.oidc.logout.processor.OidcLogoutProcessor@2e2c5ff7, > logoutActionBuilder=org.pac4j.oidc.logout.OidcLogoutActionBuilder@2cd6e2ea, > checkAuthenticationAttempt=true), > configuration=OidcConfiguration(clientId=377f9c3fd633bb7f85362d6b97aea642101916336709c051c3d0816fd83e4e0e, > > discoveryURI= > https://fcp-low.integ01.dev-franceconnect.fr/api/v2/.well-known/openid-configuration, > > scope=openid,given_name,family_name,birthdate,birthplace,birthcountry,preferred_username, > > customParams={claims={"id_token": {"amr": {"essential": true } } }, > acr_values=eidas1}, clientAuthenticationMethod=null, > supportedClientAuthenticationMethods=null, > privateKeyJWTClientAuthnMethodConfig=null, useNonce=true, disablePkce=true, > pkceMethod=null, preferredJwsAlgorithm=ES256, maxAge=null, maxClockSkew=5, > resourceRetriever=org.pac4j.oidc.config.OidcConfiguration$OidcResourceRetriever@6cd4ac9, > > responseType=code, responseMode=null, logoutUrl=null, connectTimeout=5000, > readTimeout=5000, withState=true, mappedClaims={}, > stateGenerator=org.pac4j.core.util.generator.RandomValueGenerator@2ea8bb7d, > codeVerifierGenerator=org.pac4j.core.util.generator.RandomValueGenerator@62378ab8, > > valueRetriever=org.pac4j.oidc.util.SessionStoreValueRetriever@79edf5a6, > expireSessionWithToken=false, tokenExpirationAdvance=0, > allowUnsignedIdTokens=false, includeAccessTokenClaimsInProfile=false, > sslSocketFactory=sun.security.ssl.SSLSocketFactoryImpl@188d92f9, > callUserInfoEndpoint=true, > hostnameVerifier=org.apache.hc.client5.http.ssl.DefaultHostnameVerifier@151a6350, > > opMetadataResolver=InitializableObject(initialized=true, maxAttempts=3, > nbAttempts=1, lastAttempt=1771499816004, > minTimeIntervalBetweenAttemptsInMilliseconds=5000), > logoutValidation=true))]> > 2026-02-19 11:17:08,676 DEBUG > [org.pac4j.oidc.credentials.extractor.OidcCredentialsExtractor] - > <Authentication response successful> > 2026-02-19 11:17:08,780 DEBUG > [org.pac4j.core.resource.SpringResourceLoader] - <lastModified: 0 / > newLastModified: 0 -> hasChanged: false> > 2026-02-19 11:17:08,781 DEBUG [org.pac4j.oidc.client.OidcClient] - <no > credentials and profile returned -> remember the authentication attempt> > 2026-02-19 11:17:08,781 DEBUG [org.pac4j.oidc.client.OidcClient] - <save > authentication attempt in session> > 2026-02-19 11:17:08,781 DEBUG > [org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - <Putting > ticket [TST-844ad5a8-c34c-46ef-9dc0-dd2242cfa147] in registry.> > 2026-02-19 11:17:08,784 WARN [org.apereo.cas.util.function.FunctionUtils] > - <State cannot be determined> > org.pac4j.oidc.exceptions.OidcMissingSessionStateException: State cannot > be determined > at > org.pac4j.oidc.credentials.extractor.OidcCredentialsExtractor.lambda$extract$0(OidcCredentialsExtractor.java:141) > at java.base/java.util.Optional.orElseThrow(Optional.java:403) > at > org.pac4j.oidc.credentials.extractor.OidcCredentialsExtractor.extract(OidcCredentialsExtractor.java:141) > at > org.pac4j.core.client.BaseClient.getCredentials(BaseClient.java:80) > at > org.apereo.cas.authentication.principal.DefaultDelegatedAuthenticationCredentialExtractor.lambda$getCredentialsFromDelegatedClient$2(DefaultDelegatedAuthenticationCredentialExtractor.java:50) > at > org.apereo.cas.util.function.FunctionUtils.lambda$doAndHandle$12(FunctionUtils.java:425) > at > org.apereo.cas.authentication.principal.DefaultDelegatedAuthenticationCredentialExtractor.getCredentialsFromDelegatedClient(DefaultDelegatedAuthenticationCredentialExtractor.java:54) > at > org.apereo.cas.authentication.principal.DefaultDelegatedAuthenticationCredentialExtractor.extract(DefaultDelegatedAuthenticationCredentialExtractor.java:30) > at > org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.lambda$populateContextWithClientCredential$6(DelegatedClientAuthenticationAction.java:255) > at > java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197) > at > java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:179) > at > java.base/java.util.AbstractList$RandomAccessSpliterator.tryAdvance(AbstractList.java:708) > at > java.base/java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:129) > at > java.base/java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:527) > at > java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:513) > at > java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499) > at > java.base/java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:150) > at > java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) > at > java.base/java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:647) > > > Actual working flow on 7.2 > > > 2026-02-19 11:09:55,610 DEBUG > [org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - <Putting > ticket [TST-dbf06ff0-3d72-46e3-9f71-4d848732222b] in registry.> > 2026-02-19 11:09:55,610 DEBUG > [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] > - <Located delegated client identifier > [TST-1-****************I1iEQpe-9aae8cc0bfc1]> > 2026-02-19 11:09:55,611 DEBUG > [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] > - <Located delegated authentication client identifier as > [TST-1-****************I1iEQpe-9aae8cc0bfc1]> > 2026-02-19 11:09:55,611 DEBUG > [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] > - <Removing delegated client identifier > [TST-1-****************I1iEQpe-9aae8cc0bfc1] from registry> > 2026-02-19 11:09:55,612 DEBUG > [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - > -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/603d5e78-2c06-42cf-a430-987df4376d0bn%40apereo.org.
