[cas-user] Re: CAS5 intermittent login loop

2016-12-15 Thread Baron Fujimoto 
In case anyone else encounters this or for future reference, we were
able to isolate and replicate the problem, and it's now being tracked
here: 

On Fri, Dec 02, 2016 at 03:13:39PM -1000, Baron Fujimoto wrote:
>We're trying to troubleshoot an intermittent problem some of our users
>have been reporting with CAS5 (RC4). The behavior being reported is that
>that after providing their credentials at the login page, they are simply
>returned to the login page again with no error. Unfortunately we have not
>yet been able to reliably reproduce the problem.
>
>It appears from the logs that the user may be attempting to access the app
>with an invalid TGT. It's not clear to me how or where the TGT is being
>"mishandled" though. I've pulled a couple of incidents from out logs:
>
>#
># user1 #
>#
>
>User1 logs in and is issued a TGT
>
>2016-11-29 09:25:27,647 INFO 
>[org.apereo.cas.adaptors.duo.authn.web.DuoAuthenticationHandler] - Duo authentication for [user1]>
>2016-11-29 09:25:27,647 INFO 
>[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
>org.apereo.cas.adaptors.duo.authn.web.DuoCredential@10x8[username=user1,signedDuoResponse=AUTH|dGxx...xx]>
>2016-11-29 09:25:27,663 DEBUG 
>[org.apereo.cas.ticket.registry.DefaultTicketRegistry] - [TGT-***PwWjCaS35u-cas01] to 
>registry.>
>
>User1 logs in again later is issued a new TGT
>
>2016-11-29 15:17:41,553 INFO 
>[org.apereo.cas.adaptors.duo.authn.web.DuoAuthenticationHandler] - Duo authentication for [user1]>
>2016-11-29 15:17:41,554 INFO 
>[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
>org.apereo.cas.adaptors.duo.authn.web.DuoCredential@1cx9[username=user1,signedDuoResponse=AUTH|dGxx...xx]>
>2016-11-29 15:17:41,570 DEBUG 
>[org.apereo.cas.ticket.registry.DefaultTicketRegistry] - [TGT-***DbtsqgSBiQ-cas01] to 
>registry.>
>
>A ST is successfully granted and validated using that TGT
>
>2016-11-29 15:17:41,585 INFO [org.apereo.cas.CentralAuthenticationServiceImpl] 
>- [https://www.hawaii.edu/casl2/login?service=https%3A%2F%2Ffoo.hawaii.edu%2Fkfs-prd%2Fportal.do=true]
> and principal [user1]>
>2016-11-29 15:17:41,585 DEBUG 
>[org.apereo.cas.CentralAuthenticationServiceImpl] - org.apereo.cas.support.events.CasServiceTicketGrantedEvent@30a6f889[ticketGrantingTicket=TGT-***DbtsqgSBiQ-cas01,serviceTicket=ST-302853-XDJxwx5MnntO5cPU-PwWjCaS35ucas01]>
>2016-11-29 15:17:41,611 DEBUG 
>[org.apereo.cas.CentralAuthenticationServiceImpl] - org.apereo.cas.support.events.CasServiceTicketValidatedEvent@157c27ed[assertion=org.apereo.cas.authentication.DefaultAuthentication@99a0bcfc:https://www.hawaii.edu/casl2/login?service=https%3A%2F%2Ffoo.hawaii.edu%2Fkfs-prd%2Fportal.do=true,serviceTicket=ST-302853-XDJDK6Jgwx5MnntO5cPU-cas01]>
>
>A short while later, there's a different AuthN for the same app (LDAP vs
>Duo?), but CAS fails to issue a ST
>
>2016-11-29 15:33:24,106 DEBUG 
>[org.apereo.cas.web.support.DefaultArgumentExtractor] - https://www.hawaii.edu/casl2/login?service=https%3A%2F%2Ffoo.hawaii.edu%2Fkfs-prd%2Fportal.do%3FchannelTitle%3DAction%2520List%26channelUrl%3Dhttps%3A%2F%2Ffoo.hawaii.edu%2Fkfs-prd%2Fkew%2FActionList.do=true
> based on 
>org.apereo.cas.authentication.principal.WebApplicationServiceFactory@324cde8c>
>2016-11-29 15:33:24,122 INFO 
>[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
>
>2016-11-29 15:33:24,126 DEBUG 
>[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - an authentication result for authentication 
>org.apereo.cas.authentication.DefaultAuthentication@1d736a2 and service 
>https://www.hawaii.edu/casl2/login?service=https%3A%2F%2Ffoo.hawaii.edu%2Fkfs-prd%2Fportal.do%3FchannelTitle%3DAction%2520List%26channelUrl%3Dhttps%3A%2F%2Ffoo.hawaii.edu%2Fkfs-prd%2Fkew%2FActionList.do=true>
>2016-11-29 15:33:24,126 DEBUG 
>[org.apereo.cas.CentralAuthenticationServiceImpl] - [TGT-***PwWjCaS35u-cas01] by 
>type [TicketGrantingTicket] cannot be found in the ticket registry.>
>
>Note that it is attempting to use the old TGT. I can't find evidence in
>the logs that the old PwWjCaS35u-cas01 ticket was removed. I think it is
>at this point that the user is returned to the login screen again. I find
>this general sequence of events repeated in the logs. Service tickets are
>not issued, and always correlated with the DEBUG that the
>"TGT-***PwWjCaS35u-cas01] by type [TicketGrantingTicket] cannot be found".
>
>#
># user2 #
>#
>
>User2 logs in and is issues a TGT
>
>2016-11-29 14:50:49,891 INFO 
>[org.apereo.cas.adaptors.duo.authn.web.DuoAuthenticationHandler] - Duo authentication for [user2]>
>2016-11-29 14:50:49,891 INFO

Re: [cas-user] JPA-Ticket-Registry on postgres

2016-12-15 Thread Ray Bon 
Hal,

Lots of questions. I will tackle JPA.

I have been going through some angst trying to get JPA to jive with
Oracle (no success, I think it is a hibernate 5 issue not CAS 4.2.6). I
extracted the create/alter statements and created the tables manually
(sql below). Manual table creation means you will have to check the
domain classes for changes when upgrading and apply the appropriate
alter statements. The default ddlAuto is 'create-drop' so you _must_
provide a value when going to production. Any value will do. If
'validate' is not working, try 'update', if that does not work try
'donothing' or 'ignore' or 'blah' and hibernate will skip over ddlAuto
behaviour.

Ray

Sql for Oracle including fields required by services management application:


create sequence hibernate_sequence start with 1 increment by 1;

create table RegisteredServiceImplProperty (
  id number(19, 0) not null,
  property_values blob,
  primary key (id)
);

create table RegisteredServiceImpl (
  id number(19, 0) NOT NULL ENABLE,
  access_strategy blob,
  attribute_release blob,
  bypassApprovalPrompt varchar(255),
  clientId varchar(255),
  clientSecret varchar(255),
  description varchar(255) not null,
  evaluation_order integer not null,
  expression_type VARCHAR(15) DEFAULT 'ant' not null,
  logo varchar(255),
  logout_type integer,
  logout_url varchar(255),
  name varchar(255) not null,
  proxy_policy blob,
  public_key blob,
  required_handlers blob,
  serviceId varchar(255) not null,
  theme varchar(255),
  username_attr blob,
  primary key (id)
);

create table RegisteredServiceImpl_Props (
  AbstractRegisteredService_id number(19, 0) not null,
  properties_id number(19, 0) not null,
  properties_KEY varchar(255) not null,
  primary key (AbstractRegisteredService_id, properties_KEY)
);

alter table RegisteredServiceImpl_Props
  add constraint FK_Property
  foreign key (properties_id)
  references RegisteredServiceImplProperty;

alter table RegisteredServiceImpl_Props
  add constraint FK_RegisteredServiceImpl
  foreign key (AbstractRegisteredService_id)
  references RegisteredServiceImpl;

On 2016-12-15 08:19, Hal Deadman wrote:
> I am trying to use the JPA ticket registry in 5.0.1 with Postgres. I
> can't find any DDL to create the schema so I am letting hibernate
> create the tables.
>  
> In this document
> https://apereo.github.io/cas/5.0.x/installation/JPA-Ticket-Registry.html
> they describe four options for ddlAuto:
>
> validate - validate the schema, but make no changes to the database.
> update - update the schema.
> create - create the schema, destroying previous data.
> create-drop - drop the schema at the end of the session.
>
> If I want to have multiple CAS servers pointing at the same set of
> tables in the same DB, it doesn't seem like create or create-drop
> would make sense because they both appear to drop the tables on
> start-up. The OID of the table changes with the create option on
> startup so i assume it is re-creating the table.
>
> I would like to use "validate" but after letting the tables be created
> using the "create" option the validate options fails with an error like:
>
> Caused by: org.hibernate.tool.schema.spi.SchemaManagementException:
> Schema-valid
> ation: wrong column type encountered in column [lockVer] in table
> [locks]; found
>  [int4 (Types#INTEGER)], but expecting [integer default 0 (Types#BIGINT)]
>
> The DDL for the table extracted by pgAdmin shows the column is:
> "lockVer integer NOT NULL DEFAULT 0" which seems to be what it is
> expecting.
>
>
> I can start up CAS with ddlAuto set to "update" but when I login I get
> an an error:
>
> 
> 2016-12-15 09:52:16,249 ERROR
> [org.apereo.cas.ticket.registry.JpaTicketRegistry]
>  -  TGT-**3osVS
> fZwtw-XYZXYZXYZV from registry.>
>
> If I set jpaLockingTgtEnabled to false then I can login but it seems
> like locking should work in postgres. It appears
> that DefaultTicketRegistrySupport is @Transactional readonly=true and
> the getAuthenticatedPrincipalFrom method starts a read-only
> transaction which eventually fails when hibernate tries to lock row
> with "for update" clause. Is there another TicketRegistrySupport bean
> I should be using?
>
>
> A possibly related issue, I am seeing the DefaultTicketRegistry bean
> being created from CasCoreTicketsConfiguration despite the bean being
> @ConditionalOnMissingBean(name = "ticketRegistry"). The
> jpaTicketRegistry bean which appears to be aliased to ticketRegistry
> is definitely being used so I am not sure why the
> DefaultTicketRegistry bean is being created.
>
>
> To summarize:
>  - JPA ticket registry seems to be working but the ddlAuto validate
> doesn't seem to work (and create/create-drop seem no better than
> in-memory if they are lost on restart)
>  - jpa locking is not working for me
>  - I don't know why the DefaultTicketRegistry bean is being created. 
>
>
> -- 
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing

Re: [cas-user] mod_auth_cas 1.1

2016-12-15 Thread David Hawes 
I see no mod_auth_cas configuration here.

On 13 December 2016 at 18:44, Chris Cheltenham
 wrote:
> David,
>
> Again I appreciate your help.
>
>
>
> -Original Message-
> From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of David 
> Hawes
> Sent: Tuesday, December 13, 2016 10:52 AM
> To: CAS Community
> Subject: Re: [cas-user] mod_auth_cas 1.1
>
> On 12 December 2016 at 17:57, Chris Cheltenham  
> wrote:
>> David,
>>
>> He mod_auth_cas is attached.
>
> Can you post your Apache config?
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wD4aDf-BD4gi9Hh%3D1yexiUy6W9R5XXaOdZ8UUfwooQVCA%40mail.gmail.com.
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/MWHPR17MB121344956B0FE8DF4F160582C49B0%40MWHPR17MB1213.namprd17.prod.outlook.com.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wDSqEY98VALi8N4Q-iq%2B1F4TsKG3Fo8K2ng7qjNja%3Dsqw%40mail.gmail.com.

RE: [cas-user] CAS 5.0.x embedded Tomcat in production environment

2016-12-15 Thread Misagh Moayyed 

I was wondering if the embedded Tomcat in CAS 5.0.x is deemed fit for use in 
a production environment. E.g. will CAS receive timely security updates if 
any security issues are reported for the embedded Tomcat.

Yes. There will be security updates. Timely basically translates to the CAS 
release schedule and policy. If that model suits you, sure.



[..]
Embedded
Note that CAS itself ships with an embedded Tomcat container that allows the 
platform to be self contained as much as possible. You DO NOT need to 
configure and deploy to an externally configured container.
[..]

Which kind of sounds like it is somewhat supported :)



What it tries to imply is that in general, Tomcat-related questions should 
be routed to the Tomcat folks. (i.e. “Why isn’t the proxy port working?”)



-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/006601d256e6%24d91f%248b5d%24%40unicon.net.

Re: [cas-user] Re: Authorize request verification fails with OAuth and CAS 5.0.x

2016-12-15 Thread Todd Pratt 
Hi,

I appreciate all the help.  That check succeeds, see the log statements 
below.  It fails on isRequestAuthenticated in OAuth20AuthorizeController
https://github.com/apereo/cas/blob/master/support/cas-server-support-oauth/src/main/java/org/apereo/cas/support/oauth/web/OAuth20AuthorizeController.java#L85
https://github.com/apereo/cas/blob/master/support/cas-server-support-oauth/src/main/java/org/apereo/cas/support/oauth/web/OAuth20AuthorizeController.java#L108
  

There isn't a profile in the session or request attributes.  I printed both 
of those out and couldn't find one for Pac4jConstants.USER_PROFILES ("
pac4jUserProfile")


2016-12-15 09:53:52,309 DEBUG 
[org.apereo.cas.support.oauth.validator.OAuthValidator] - ,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@7f17e342[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseProxyGrantingTicket=false,allowedAttributes=[]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@27dc818c[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=,caseInsensitive=false,rejectedAttributes={}],publicKey=,proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@5761f513,logo=,logoutUrl=,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@342a60c3[multifactorAuthenticationProviders=[],failureMode=CLOSED,principalAttributeNameTrigger=,principalAttributeValueToMatch=,clientId=fb3s86QV9QKl,approvalPrompt=false,generateRefreshToken=false,jsonFormat=true,jwks=,signIdToken=false]>

2016-12-15 09:53:52,310 DEBUG 
[org.apereo.cas.support.oauth.validator.OAuthValidator] - ,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@7f17e342[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseProxyGrantingTicket=false,allowedAttributes=[]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@27dc818c[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=,caseInsensitive=false,rejectedAttributes={}],publicKey=,proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@5761f513,logo=,logoutUrl=,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@342a60c3[multifactorAuthenticationProviders=[],failureMode=CLOSED,principalAttributeNameTrigger=,principalAttributeValueToMatch=,clientId=fb3s86QV9QKl,approvalPrompt=false,generateRefreshToken=false,jsonFormat=true,jwks=,signIdToken=false]
 
vs redirectUri: http://localhost:8080/oauth_client>

2016-12-15 09:53:52,313 ERROR 
[org.apereo.cas.support.oauth.web.OAuth20AuthorizeController] - 


On Thursday, December 15, 2016 at 3:27:05 AM UTC-5, leleuj wrote:
>
> Hi,
>
> Here is the check: 
> https://github.com/apereo/cas/blob/master/support/cas-server-support-oauth/src/main/java/org/apereo/cas/support/oauth/validator/OAuth20Validator.java#L78
>
> Can you debug it to see what's going on?
>
> Thanks.
> Best regards,
> Jérôme
>
>
> 2016-12-14 17:13 GMT+01:00 Todd Pratt :
>
>> Hi Jérôme,
>>
>> I've tried several values for serviceId and can't find one that will work 
>> I get the same error each time.  I need it to redirect back to 
>> http://localhost:8080/oauth_client.  Could you please tell me what I'm 
>> doing wrong with the following 
>>
>> {
>>   "@class" : "org.apereo.cas.services.OidcRegisteredService",
>>   "clientId": "fb3s86QV9QKl",
>>   "clientSecret": "VgWn3ysT24gZo66K",
>>   "serviceId" : "^http://localhost:8080/oauth_client;,
>>   "signIdToken": "false",
>>   "name": "OIDC",
>>   "id": 1000,
>>   "evaluationOrder": 100
>> }
>>
>>
>>
>> Thank you,
>> Todd
>>
>>
>> On Wednesday, December 14, 2016 at 3:04:12 AM UTC-5, leleuj wrote:
>>>
>>> Hi,
>>>
>>> Sure. This error happens when you have not properly configured the 
>>> serviceId of the Oidc service, it must match the redirectUri.
>>>
>>> See the documentation: 
>>> https://apereo.github.io/cas/5.0.x/installation/OIDC-Authentication.html
>>>
>>>
>>> {
>>>   "@class" : "org.apereo.cas.services.OidcRegisteredService",
>>>   "clientId": "client",
>>>   "clientSecret": "secret",
>>>   "serviceId" : "^",
>>>   "signIdToken": true,
>>>   "name": "OIDC",
>>>   "id": 1000,
>>>   "evaluationOrder": 100,
>>>   "jwks": "..."}
>>>
>>>
>>>
>>> Thanks.
>>> Best regards,
>>> Jérôme
>>>
>>>
>>> 2016-12-13 21:12 GMT+01:00 Misagh Moayyed :
>>>
 Feel free to submit an issue. Jérôme might have a few ideas. It would 
 also be helpful if you could pack your client into a shape that can be 
 tested and run by someone else. If you do [and you should], reference its 
 location in the issue.

  

 --Misagh

  

 *From:* cas-...@apereo.org [mailto:cas-...@apereo.org]

Re: [cas-user] Re: Authorize request verification fails with OAuth and CAS 5.0.x

2016-12-15 Thread Jérôme LELEU 
Hi,

Here is the check:
https://github.com/apereo/cas/blob/master/support/cas-server-support-oauth/src/main/java/org/apereo/cas/support/oauth/validator/OAuth20Validator.java#L78

Can you debug it to see what's going on?

Thanks.
Best regards,
Jérôme


2016-12-14 17:13 GMT+01:00 Todd Pratt :

> Hi Jérôme,
>
> I've tried several values for serviceId and can't find one that will work
> I get the same error each time.  I need it to redirect back to
> http://localhost:8080/oauth_client.  Could you please tell me what I'm
> doing wrong with the following
>
> {
>   "@class" : "org.apereo.cas.services.OidcRegisteredService",
>   "clientId": "fb3s86QV9QKl",
>   "clientSecret": "VgWn3ysT24gZo66K",
>   "serviceId" : "^http://localhost:8080/oauth_client;,
>   "signIdToken": "false",
>   "name": "OIDC",
>   "id": 1000,
>   "evaluationOrder": 100
> }
>
>
>
> Thank you,
> Todd
>
>
> On Wednesday, December 14, 2016 at 3:04:12 AM UTC-5, leleuj wrote:
>>
>> Hi,
>>
>> Sure. This error happens when you have not properly configured the
>> serviceId of the Oidc service, it must match the redirectUri.
>>
>> See the documentation: https://apereo.github.io/cas/5
>> .0.x/installation/OIDC-Authentication.html
>>
>>
>> {
>>   "@class" : "org.apereo.cas.services.OidcRegisteredService",
>>   "clientId": "client",
>>   "clientSecret": "secret",
>>   "serviceId" : "^",
>>   "signIdToken": true,
>>   "name": "OIDC",
>>   "id": 1000,
>>   "evaluationOrder": 100,
>>   "jwks": "..."}
>>
>>
>>
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>> 2016-12-13 21:12 GMT+01:00 Misagh Moayyed :
>>
>>> Feel free to submit an issue. Jérôme might have a few ideas. It would
>>> also be helpful if you could pack your client into a shape that can be
>>> tested and run by someone else. If you do [and you should], reference its
>>> location in the issue.
>>>
>>>
>>>
>>> --Misagh
>>>
>>>
>>>
>>> *From:* cas-...@apereo.org [mailto:cas-...@apereo.org] *On Behalf Of *Todd
>>> Pratt
>>> *Sent:* Tuesday, December 13, 2016 11:21 AM
>>> *To:* CAS Community 
>>> *Subject:* [cas-user] Re: Authorize request verification fails with
>>> OAuth and CAS 5.0.x
>>>
>>>
>>>
>>> The authorization url that is generated is
>>>
>>>
>>>
>>> https://cas.mydomain.com:8443/cas/oauth2.0/authorize/?client
>>> _id=fb3s86QV9QKl_uri=http://localhost:8080/oauth_
>>> client_type=code=openid
>>>
>>>
>>>
>>>
>>> On Monday, December 12, 2016 at 4:51:17 PM UTC-5, Todd Pratt wrote:
>>>
>>> Hi,
>>>
>>>
>>>
>>> I'm trying to setup OpenID/OAuth2 on CAS 5.0.x using the war overlay
>>> template.  I included three dependencies, cas-server-support-oidc, 
>>> cas-server-support-ldap
>>> and cas-server-support-json-service-registry.  I built the management
>>> webapp using that overlay template and I successfully logged into the
>>> management app using the ldap authentication I setup.  Now I'm trying to
>>> setup a service provider for OpenID/OAuth2 and I keep getting an error page
>>> with my test application that says "Application Not Authorized to use CAS"
>>> instead of redirecting to the login page.  I've used this test client with
>>> other servers and it seems to work.  I enabled debugging and looking
>>> through the code it looks it found my provider I defined but then it fails
>>> at OAuth20AuthorizeController.isRequestAuthenticated() returns false.
>>> The method isRequestAuthenticated() seems to look for a profile in the
>>> session which isn't there.  Is there something I'm missing?  Below is the
>>> portion of the log.
>>>
>>>
>>>
>>>
>>>
>>> 2016-12-12 13:09:40,226 DEBUG 
>>> [org.apereo.cas.support.oauth.validator.OAuthValidator]
>>> - 
>>>
>>> 2016-12-12 13:09:40,227 DEBUG 
>>> [org.apereo.cas.support.oauth.validator.OAuthValidator]
>>> - http://localhost:8080/oauth_client>
>>>
>>> 2016-12-12 13:09:40,227 DEBUG 
>>> [org.apereo.cas.support.oauth.validator.OAuthValidator]
>>> - 
>>>
>>> 2016-12-12 13:09:40,227 DEBUG [org.apereo.cas.support.oauth.
>>> web.OAuth20AuthorizeController] - 
>>>
>>> 2016-12-12 13:09:40,228 DEBUG 
>>> [org.apereo.cas.support.oauth.validator.OAuthValidator]
>>> - >> gisteredService@66d09fb6[attributeFilter=,princip
>>> alAttributesRepository=org.apereo.cas.authentication.prin
>>> cipal.DefaultPrincipalAttributesRepository@2027a3cc[],author
>>> izedToReleaseCredentialPassword=false,authorizedToReleasePro
>>> xyGrantingTicket=false],accessStrategy=org.apereo.cas.servic
>>> es.DefaultRegisteredServiceAccessStrategy@f9e67c0[enabled=
>>> true,ssoEnabled=true,requireAllAttributes=false,requiredAttr
>>> ibutes={},unauthorizedRedirectUrl=,caseInsensitive=
>>> false,rejectedAttributes={}],publicKey=,proxyPolicy=or
>>> g.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@
>>> 2e202d9f,logo=,logoutUrl=,requiredHandlers=[],pr
>>> operties={},multifactorPolicy=org.apereo.cas.services.Defaul
>>> tRegisteredServiceMultifactorPolicy@6dd174aa[multifactorAuth
>>>