Re: [cas-user] Re: CAS OIDC 403 forbidden

2020-05-25 Thread Linos Giannopoulos
Hey,

I have a similar setup to that of Charl's and I encountered the same issue  
with 6.1.6. Indeed, downgrading to 6.0 works as expected.
I have not tried 6.2.x yet.

If you need any extra information, or you have any pointers in terms of 
where to look, let me know.

~lgian

On Wednesday, May 20, 2020 at 5:15:38 PM UTC+3, Charl Thiem wrote:
>
> Hi Jérôme
>
> I've tried that too. Still no luck with CAS 6.1, 6.0 works fine
>
> Regards / Groete
> *Charl Thiem*
> Senior Developer | +07 (0) 21 970 4000 | in...@opencollab.co.za 
>  | www.opencollab.co.za | @opencollab
>
>
>
> On Wed, May 20, 2020 at 3:55 PM Jérôme Steve  > wrote:
>
>> Hi charl,
>>
>> You try to add the scopes in your service configuration ? like this :
>>
>> "scopes" : [ "java.util.HashSet", [ "openid"] ]
>>
>>
>>
>> Le mer. 20 mai 2020 à 12:35, Charl Thiem > > a écrit :
>>
>>> Hi there
>>>
>>> I tried that too with no luck. I think there is a bug in spring's pac4j 
>>> or pac4j itself. I had some places in my debugger stack trace where I could 
>>> see it never passes a check that is expected to pass... Just my guess I'm 
>>> no pac4j expert :D
>>>
>>> I downgraded to 6.0.7 instead of 6.1.6 and it now works as expected with 
>>> the same configuration - for what that info is worth...
>>>
>>>
>>> Regards / Groete
>>> *Charl Thiem*
>>> Senior Developer | +07 (0) 21 970 4000 | in...@opencollab.co.za 
>>>  | www.opencollab.co.za | @opencollab
>>>
>>>
>>>
>>> On Wed, May 20, 2020 at 12:00 PM Gandhi >> > wrote:
>>>
 Hi, Can you try passing client_id and client_secret as params rather 
 than Basic Auth?

 On Tuesday, May 19, 2020 at 3:14:01 PM UTC+5:30, Charl Thiem wrote:
>
> Hi
>
> I need some help with OpenID Connect setup.
> I have my cas 6.1  instance configured with OIDC. I can authenticate 
> my user with
>
>
> https://demo.domain.co.za/cas/oidc/authorize?response_type=code=openid_id=client_uri=https%3A%2F%2Fthe-redirect
>
> Which then returns the "code"
> https://the-redirect-uri/?*code=OC-3-Er9FLXhPgI7MLBoqfo0-SC1DRMgezkh6*
>
> Then when trying to to get an authorization_code from it i get a 403
>
> curl --location --request POST '
> https://demo.domain.co.za/cas/oidc/token' \
> --header 'Authorization: Basic Y2xpZW50OnNlY3JldA==' \
> --header 'Content-Type: application/x-www-form-urlencoded' \
> --data-urlencode 'code=OC-1-9RHILYUUElF6YCOeWqSnK0BxuK8l1-bf' \
> --data-urlencode 'grant_type=authorization_code' \
> --data-urlencode 'redirect_uri=https://the-redirect-uri'
>
> {"timestamp":"2020-05-19T09:33:21.868+","status":403,"error":"Forbidden","message":"No
>  
> message available","path":"/cas/oidc/token"}
>
> (The Authorization header does seem to work. I have the clientId and 
> client Secret in there. And if I change it I get a 401)
>
> I do not have any additional settings for OIDC in cas config, and I 
> have json service definition with the following
> {
>   "@class" : "org.apereo.cas.services.OidcRegisteredService",
>   "clientId": "client",
>   "clientSecret": "secret",
>   "serviceId" : "https://the-redirect-uri;,
>   "name": "OIDC Test",
>   "id": 60,
>   "supportedResponseTypes":  [ "java.util.HashSet", [ "code" ] ],
>   "supportedGrantTypes":  [ "java.util.HashSet", [ 
> "authorization_code" ] ],
> }
>
> Any ideas what the issue with the 403 could be? 
>
>
> I'm running in debug mode and also couldn't find any useful logging.. 
> This is the output during the request for the authorization_code.
>
> 2020-05-19 11:38:52,750 DEBUG 
> [org.apereo.cas.support.oauth.web.endpoints.OAuth20AuthorizeEndpointController]
>  
> -  with 
> scopes [[openid]] for client id [client]>
> 2020-05-19 11:38:52,751 DEBUG 
> [org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationCodeAuthorizationResponseBuilder]
>  
> - 
> 2020-05-19 11:38:52,758 DEBUG 
> [org.apereo.cas.ticket.registry.JpaTicketRegistry] -  [OC-1-ZUSkKuijTf-JvqqPijjsEaMrVxRSRPGb] to registry.>
> 2020-05-19 11:38:52,783 DEBUG 
> [org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationCodeAuthorizationResponseBuilder]
>  
> -  https://the-redirect-uri]>
> 2020-05-19 11:38:52,783 DEBUG 
> [org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationCodeAuthorizationResponseBuilder]
>  
> -  https://the-redirect-uri?code=OC-1-ZUSkKuijTf-JvqqPijjsEaMrVxRSRPGb=af0ifjsldkj
> ]>
> 2020-05-19 11:38:52,786 DEBUG 
> [org.apereo.cas.support.oauth.util.OAuth20Utils] -  is 
> [NONE]>
> 2020-05-19 11:39:06,232 DEBUG 
> [org.apereo.cas.support.oauth.authenticator.OAuth20ClientIdClientSecretAuthenticator]
>  
> -  client | password: [PROTECTED] |]>
> 2020-05-19 11:39:06,232 DEBUG 
> 

Re: [cas-user] Re: CAS OIDC 403 forbidden

2020-05-20 Thread Charl Thiem
Hi Jérôme

I've tried that too. Still no luck with CAS 6.1, 6.0 works fine

Regards / Groete
*Charl Thiem*
Senior Developer | +07 (0) 21 970 4000 | i...@opencollab.co.za |
www.opencollab.co.za | @opencollab



On Wed, May 20, 2020 at 3:55 PM Jérôme Steve  wrote:

> Hi charl,
>
> You try to add the scopes in your service configuration ? like this :
>
> "scopes" : [ "java.util.HashSet", [ "openid"] ]
>
>
>
> Le mer. 20 mai 2020 à 12:35, Charl Thiem  a
> écrit :
>
>> Hi there
>>
>> I tried that too with no luck. I think there is a bug in spring's pac4j
>> or pac4j itself. I had some places in my debugger stack trace where I could
>> see it never passes a check that is expected to pass... Just my guess I'm
>> no pac4j expert :D
>>
>> I downgraded to 6.0.7 instead of 6.1.6 and it now works as expected with
>> the same configuration - for what that info is worth...
>>
>>
>> Regards / Groete
>> *Charl Thiem*
>> Senior Developer | +07 (0) 21 970 4000 | i...@opencollab.co.za |
>> www.opencollab.co.za | @opencollab
>>
>>
>>
>> On Wed, May 20, 2020 at 12:00 PM Gandhi 
>> wrote:
>>
>>> Hi, Can you try passing client_id and client_secret as params rather
>>> than Basic Auth?
>>>
>>> On Tuesday, May 19, 2020 at 3:14:01 PM UTC+5:30, Charl Thiem wrote:

 Hi

 I need some help with OpenID Connect setup.
 I have my cas 6.1  instance configured with OIDC. I can authenticate my
 user with


 https://demo.domain.co.za/cas/oidc/authorize?response_type=code=openid_id=client_uri=https%3A%2F%2Fthe-redirect

 Which then returns the "code"
 https://the-redirect-uri/?*code=OC-3-Er9FLXhPgI7MLBoqfo0-SC1DRMgezkh6*

 Then when trying to to get an authorization_code from it i get a 403

 curl --location --request POST '
 https://demo.domain.co.za/cas/oidc/token' \
 --header 'Authorization: Basic Y2xpZW50OnNlY3JldA==' \
 --header 'Content-Type: application/x-www-form-urlencoded' \
 --data-urlencode 'code=OC-1-9RHILYUUElF6YCOeWqSnK0BxuK8l1-bf' \
 --data-urlencode 'grant_type=authorization_code' \
 --data-urlencode 'redirect_uri=https://the-redirect-uri'

 {"timestamp":"2020-05-19T09:33:21.868+","status":403,"error":"Forbidden","message":"No
 message available","path":"/cas/oidc/token"}

 (The Authorization header does seem to work. I have the clientId and
 client Secret in there. And if I change it I get a 401)

 I do not have any additional settings for OIDC in cas config, and I
 have json service definition with the following
 {
   "@class" : "org.apereo.cas.services.OidcRegisteredService",
   "clientId": "client",
   "clientSecret": "secret",
   "serviceId" : "https://the-redirect-uri;,
   "name": "OIDC Test",
   "id": 60,
   "supportedResponseTypes":  [ "java.util.HashSet", [ "code" ] ],
   "supportedGrantTypes":  [ "java.util.HashSet", [ "authorization_code"
 ] ],
 }

 Any ideas what the issue with the 403 could be?


 I'm running in debug mode and also couldn't find any useful logging..
 This is the output during the request for the authorization_code.

 2020-05-19 11:38:52,750 DEBUG
 [org.apereo.cas.support.oauth.web.endpoints.OAuth20AuthorizeEndpointController]
 - >>> scopes [[openid]] for client id [client]>
 2020-05-19 11:38:52,751 DEBUG
 [org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationCodeAuthorizationResponseBuilder]
 - 
 2020-05-19 11:38:52,758 DEBUG
 [org.apereo.cas.ticket.registry.JpaTicketRegistry] - >>> [OC-1-ZUSkKuijTf-JvqqPijjsEaMrVxRSRPGb] to registry.>
 2020-05-19 11:38:52,783 DEBUG
 [org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationCodeAuthorizationResponseBuilder]
 - >>> https://the-redirect-uri]>
 2020-05-19 11:38:52,783 DEBUG
 [org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationCodeAuthorizationResponseBuilder]
 - >>> https://the-redirect-uri?code=OC-1-ZUSkKuijTf-JvqqPijjsEaMrVxRSRPGb=af0ifjsldkj
 ]>
 2020-05-19 11:38:52,786 DEBUG
 [org.apereo.cas.support.oauth.util.OAuth20Utils] - >>> [NONE]>
 2020-05-19 11:39:06,232 DEBUG
 [org.apereo.cas.support.oauth.authenticator.OAuth20ClientIdClientSecretAuthenticator]
 - >>> client | password: [PROTECTED] |]>
 2020-05-19 11:39:06,232 DEBUG
 [org.apereo.cas.support.oauth.authenticator.OAuth20ClientIdClientSecretAuthenticator]
 - 
 2020-05-19 11:39:06,245 INFO
 [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - >>> trail record BEGIN
 =
 WHO: audit:unknown
 WHAT: [result=Service Access Granted,service=https://the-redirect-uri
 ,requiredAttributes={}]
 ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
 APPLICATION: CAS
 WHEN: Tue May 19 11:39:06 SAST 2020
 CLIENT IP ADDRESS: 172.18.0.1
 SERVER IP ADDRESS: 

Re: [cas-user] Re: CAS OIDC 403 forbidden

2020-05-20 Thread Jérôme Steve
Hi charl,

You try to add the scopes in your service configuration ? like this :

"scopes" : [ "java.util.HashSet", [ "openid"] ]



Le mer. 20 mai 2020 à 12:35, Charl Thiem  a écrit :

> Hi there
>
> I tried that too with no luck. I think there is a bug in spring's pac4j or
> pac4j itself. I had some places in my debugger stack trace where I could
> see it never passes a check that is expected to pass... Just my guess I'm
> no pac4j expert :D
>
> I downgraded to 6.0.7 instead of 6.1.6 and it now works as expected with
> the same configuration - for what that info is worth...
>
>
> Regards / Groete
> *Charl Thiem*
> Senior Developer | +07 (0) 21 970 4000 | i...@opencollab.co.za |
> www.opencollab.co.za | @opencollab
>
>
>
> On Wed, May 20, 2020 at 12:00 PM Gandhi  wrote:
>
>> Hi, Can you try passing client_id and client_secret as params rather than
>> Basic Auth?
>>
>> On Tuesday, May 19, 2020 at 3:14:01 PM UTC+5:30, Charl Thiem wrote:
>>>
>>> Hi
>>>
>>> I need some help with OpenID Connect setup.
>>> I have my cas 6.1  instance configured with OIDC. I can authenticate my
>>> user with
>>>
>>>
>>> https://demo.domain.co.za/cas/oidc/authorize?response_type=code=openid_id=client_uri=https%3A%2F%2Fthe-redirect
>>>
>>> Which then returns the "code"
>>> https://the-redirect-uri/?*code=OC-3-Er9FLXhPgI7MLBoqfo0-SC1DRMgezkh6*
>>>
>>> Then when trying to to get an authorization_code from it i get a 403
>>>
>>> curl --location --request POST 'https://demo.domain.co.za/cas/oidc/token'
>>> \
>>> --header 'Authorization: Basic Y2xpZW50OnNlY3JldA==' \
>>> --header 'Content-Type: application/x-www-form-urlencoded' \
>>> --data-urlencode 'code=OC-1-9RHILYUUElF6YCOeWqSnK0BxuK8l1-bf' \
>>> --data-urlencode 'grant_type=authorization_code' \
>>> --data-urlencode 'redirect_uri=https://the-redirect-uri'
>>>
>>> {"timestamp":"2020-05-19T09:33:21.868+","status":403,"error":"Forbidden","message":"No
>>> message available","path":"/cas/oidc/token"}
>>>
>>> (The Authorization header does seem to work. I have the clientId and
>>> client Secret in there. And if I change it I get a 401)
>>>
>>> I do not have any additional settings for OIDC in cas config, and I have
>>> json service definition with the following
>>> {
>>>   "@class" : "org.apereo.cas.services.OidcRegisteredService",
>>>   "clientId": "client",
>>>   "clientSecret": "secret",
>>>   "serviceId" : "https://the-redirect-uri;,
>>>   "name": "OIDC Test",
>>>   "id": 60,
>>>   "supportedResponseTypes":  [ "java.util.HashSet", [ "code" ] ],
>>>   "supportedGrantTypes":  [ "java.util.HashSet", [ "authorization_code"
>>> ] ],
>>> }
>>>
>>> Any ideas what the issue with the 403 could be?
>>>
>>>
>>> I'm running in debug mode and also couldn't find any useful logging..
>>> This is the output during the request for the authorization_code.
>>>
>>> 2020-05-19 11:38:52,750 DEBUG
>>> [org.apereo.cas.support.oauth.web.endpoints.OAuth20AuthorizeEndpointController]
>>> - >> scopes [[openid]] for client id [client]>
>>> 2020-05-19 11:38:52,751 DEBUG
>>> [org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationCodeAuthorizationResponseBuilder]
>>> - 
>>> 2020-05-19 11:38:52,758 DEBUG
>>> [org.apereo.cas.ticket.registry.JpaTicketRegistry] - >> [OC-1-ZUSkKuijTf-JvqqPijjsEaMrVxRSRPGb] to registry.>
>>> 2020-05-19 11:38:52,783 DEBUG
>>> [org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationCodeAuthorizationResponseBuilder]
>>> - >> https://the-redirect-uri]>
>>> 2020-05-19 11:38:52,783 DEBUG
>>> [org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationCodeAuthorizationResponseBuilder]
>>> - >> https://the-redirect-uri?code=OC-1-ZUSkKuijTf-JvqqPijjsEaMrVxRSRPGb=af0ifjsldkj
>>> ]>
>>> 2020-05-19 11:38:52,786 DEBUG
>>> [org.apereo.cas.support.oauth.util.OAuth20Utils] - >> [NONE]>
>>> 2020-05-19 11:39:06,232 DEBUG
>>> [org.apereo.cas.support.oauth.authenticator.OAuth20ClientIdClientSecretAuthenticator]
>>> - >> client | password: [PROTECTED] |]>
>>> 2020-05-19 11:39:06,232 DEBUG
>>> [org.apereo.cas.support.oauth.authenticator.OAuth20ClientIdClientSecretAuthenticator]
>>> - 
>>> 2020-05-19 11:39:06,245 INFO
>>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - >> trail record BEGIN
>>> =
>>> WHO: audit:unknown
>>> WHAT: [result=Service Access Granted,service=https://the-redirect-uri
>>> ,requiredAttributes={}]
>>> ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
>>> APPLICATION: CAS
>>> WHEN: Tue May 19 11:39:06 SAST 2020
>>> CLIENT IP ADDRESS: 172.18.0.1
>>> SERVER IP ADDRESS: 192.168.1.111
>>> =
>>>
>>> >
>>> 2020-05-19 11:39:06,245 DEBUG
>>> [org.apereo.cas.support.oauth.util.OAuth20Utils] - >> [OidcRegisteredService(super=OAuthRegisteredService(super=AbstractRegisteredService(serviceId=
>>> https://the-redirect-uri, name=OIDC Test, theme=null,
>>> informationUrl=null, privacyUrl=null, responseType=null, id=60,

Re: [cas-user] Re: CAS OIDC 403 forbidden

2020-05-20 Thread Charl Thiem
Hi there

I tried that too with no luck. I think there is a bug in spring's pac4j or
pac4j itself. I had some places in my debugger stack trace where I could
see it never passes a check that is expected to pass... Just my guess I'm
no pac4j expert :D

I downgraded to 6.0.7 instead of 6.1.6 and it now works as expected with
the same configuration - for what that info is worth...


Regards / Groete
*Charl Thiem*
Senior Developer | +07 (0) 21 970 4000 | i...@opencollab.co.za |
www.opencollab.co.za | @opencollab



On Wed, May 20, 2020 at 12:00 PM Gandhi  wrote:

> Hi, Can you try passing client_id and client_secret as params rather than
> Basic Auth?
>
> On Tuesday, May 19, 2020 at 3:14:01 PM UTC+5:30, Charl Thiem wrote:
>>
>> Hi
>>
>> I need some help with OpenID Connect setup.
>> I have my cas 6.1  instance configured with OIDC. I can authenticate my
>> user with
>>
>>
>> https://demo.domain.co.za/cas/oidc/authorize?response_type=code=openid_id=client_uri=https%3A%2F%2Fthe-redirect
>>
>> Which then returns the "code"
>> https://the-redirect-uri/?*code=OC-3-Er9FLXhPgI7MLBoqfo0-SC1DRMgezkh6*
>>
>> Then when trying to to get an authorization_code from it i get a 403
>>
>> curl --location --request POST 'https://demo.domain.co.za/cas/oidc/token'
>> \
>> --header 'Authorization: Basic Y2xpZW50OnNlY3JldA==' \
>> --header 'Content-Type: application/x-www-form-urlencoded' \
>> --data-urlencode 'code=OC-1-9RHILYUUElF6YCOeWqSnK0BxuK8l1-bf' \
>> --data-urlencode 'grant_type=authorization_code' \
>> --data-urlencode 'redirect_uri=https://the-redirect-uri'
>>
>> {"timestamp":"2020-05-19T09:33:21.868+","status":403,"error":"Forbidden","message":"No
>> message available","path":"/cas/oidc/token"}
>>
>> (The Authorization header does seem to work. I have the clientId and
>> client Secret in there. And if I change it I get a 401)
>>
>> I do not have any additional settings for OIDC in cas config, and I have
>> json service definition with the following
>> {
>>   "@class" : "org.apereo.cas.services.OidcRegisteredService",
>>   "clientId": "client",
>>   "clientSecret": "secret",
>>   "serviceId" : "https://the-redirect-uri;,
>>   "name": "OIDC Test",
>>   "id": 60,
>>   "supportedResponseTypes":  [ "java.util.HashSet", [ "code" ] ],
>>   "supportedGrantTypes":  [ "java.util.HashSet", [ "authorization_code" ]
>> ],
>> }
>>
>> Any ideas what the issue with the 403 could be?
>>
>>
>> I'm running in debug mode and also couldn't find any useful logging..
>> This is the output during the request for the authorization_code.
>>
>> 2020-05-19 11:38:52,750 DEBUG
>> [org.apereo.cas.support.oauth.web.endpoints.OAuth20AuthorizeEndpointController]
>> - > scopes [[openid]] for client id [client]>
>> 2020-05-19 11:38:52,751 DEBUG
>> [org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationCodeAuthorizationResponseBuilder]
>> - 
>> 2020-05-19 11:38:52,758 DEBUG
>> [org.apereo.cas.ticket.registry.JpaTicketRegistry] - > [OC-1-ZUSkKuijTf-JvqqPijjsEaMrVxRSRPGb] to registry.>
>> 2020-05-19 11:38:52,783 DEBUG
>> [org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationCodeAuthorizationResponseBuilder]
>> - > https://the-redirect-uri]>
>> 2020-05-19 11:38:52,783 DEBUG
>> [org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationCodeAuthorizationResponseBuilder]
>> - > https://the-redirect-uri?code=OC-1-ZUSkKuijTf-JvqqPijjsEaMrVxRSRPGb=af0ifjsldkj
>> ]>
>> 2020-05-19 11:38:52,786 DEBUG
>> [org.apereo.cas.support.oauth.util.OAuth20Utils] - > [NONE]>
>> 2020-05-19 11:39:06,232 DEBUG
>> [org.apereo.cas.support.oauth.authenticator.OAuth20ClientIdClientSecretAuthenticator]
>> - > client | password: [PROTECTED] |]>
>> 2020-05-19 11:39:06,232 DEBUG
>> [org.apereo.cas.support.oauth.authenticator.OAuth20ClientIdClientSecretAuthenticator]
>> - 
>> 2020-05-19 11:39:06,245 INFO
>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - > trail record BEGIN
>> =
>> WHO: audit:unknown
>> WHAT: [result=Service Access Granted,service=https://the-redirect-uri
>> ,requiredAttributes={}]
>> ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
>> APPLICATION: CAS
>> WHEN: Tue May 19 11:39:06 SAST 2020
>> CLIENT IP ADDRESS: 172.18.0.1
>> SERVER IP ADDRESS: 192.168.1.111
>> =
>>
>> >
>> 2020-05-19 11:39:06,245 DEBUG
>> [org.apereo.cas.support.oauth.util.OAuth20Utils] - > [OidcRegisteredService(super=OAuthRegisteredService(super=AbstractRegisteredService(serviceId=
>> https://the-redirect-uri, name=OIDC Test, theme=null,
>> informationUrl=null, privacyUrl=null, responseType=null, id=60,
>> description=null,
>> expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false,
>> notifyWhenDeleted=false, notifyWhenExpired=false, expirationDate=null),
>> proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1,
>> proxyTicketExpirationPolicy=null,