Hi, Sure. This error happens when you have not properly configured the serviceId of the Oidc service, it must match the redirectUri.
See the documentation: https://apereo.github.io/cas/5.0.x/installation/OIDC-Authentication.html { "@class" : "org.apereo.cas.services.OidcRegisteredService", "clientId": "client", "clientSecret": "secret", "serviceId" : "^<https://the-redirect-uri>", "signIdToken": true, "name": "OIDC", "id": 1000, "evaluationOrder": 100, "jwks": "..."} Thanks. Best regards, Jérôme 2016-12-13 21:12 GMT+01:00 Misagh Moayyed <[email protected]>: > Feel free to submit an issue. Jérôme might have a few ideas. It would also > be helpful if you could pack your client into a shape that can be tested > and run by someone else. If you do [and you should], reference its location > in the issue. > > > > --Misagh > > > > *From:* [email protected] [mailto:[email protected]] *On Behalf Of *Todd > Pratt > *Sent:* Tuesday, December 13, 2016 11:21 AM > *To:* CAS Community <[email protected]> > *Subject:* [cas-user] Re: Authorize request verification fails with OAuth > and CAS 5.0.x > > > > The authorization url that is generated is > > > > https://cas.mydomain.com:8443/cas/oauth2.0/authorize/? > client_id=fb3s86QV9QKl&redirect_uri=http://localhost: > 8080/oauth_client&response_type=code&scope=openid > > > > > On Monday, December 12, 2016 at 4:51:17 PM UTC-5, Todd Pratt wrote: > > Hi, > > > > I'm trying to setup OpenID/OAuth2 on CAS 5.0.x using the war overlay > template. I included three dependencies, cas-server-support-oidc, > cas-server-support-ldap > and cas-server-support-json-service-registry. I built the management > webapp using that overlay template and I successfully logged into the > management app using the ldap authentication I setup. Now I'm trying to > setup a service provider for OpenID/OAuth2 and I keep getting an error page > with my test application that says "Application Not Authorized to use CAS" > instead of redirecting to the login page. I've used this test client with > other servers and it seems to work. I enabled debugging and looking > through the code it looks it found my provider I defined but then it fails > at OAuth20AuthorizeController.isRequestAuthenticated() returns false. > The method isRequestAuthenticated() seems to look for a profile in the > session which isn't there. Is there something I'm missing? Below is the > portion of the log. > > > > > > 2016-12-12 13:09:40,226 DEBUG > [org.apereo.cas.support.oauth.validator.OAuthValidator] > - <client_id: fb3s86QV9QKl> > > 2016-12-12 13:09:40,227 DEBUG > [org.apereo.cas.support.oauth.validator.OAuthValidator] > - <redirect_uri: http://localhost:8080/oauth_client> > > 2016-12-12 13:09:40,227 DEBUG > [org.apereo.cas.support.oauth.validator.OAuthValidator] > - <response_type: code> > > 2016-12-12 13:09:40,227 DEBUG > [org.apereo.cas.support.oauth.web.OAuth20AuthorizeController] > - <Response type: code> > > 2016-12-12 13:09:40,228 DEBUG > [org.apereo.cas.support.oauth.validator.OAuthValidator] > - <Check registered service: org.apereo.cas.services. > OidcRegisteredService@66d09fb6[attributeFilter=<null>, > principalAttributesRepository=org.apereo.cas.authentication.principal. > DefaultPrincipalAttributesRepository@2027a3cc[], > authorizedToReleaseCredentialPassword=false,authorizedToReleaseProxyGranti > ngTicket=false],accessStrategy=org.apereo.cas.services. > DefaultRegisteredServiceAccessStrategy@f9e67c0[enabled=true, > ssoEnabled=true,requireAllAttributes=false,requiredAttributes={}, > unauthorizedRedirectUrl=<null>,caseInsensitive=false, > rejectedAttributes={}],publicKey=<null>,proxyPolicy= > org.apereo.cas.services.RefuseRegisteredServiceProxyPo > licy@2e202d9f,logo=<null>,logoutUrl=<null>,requiredHandlers=[], > properties={},multifactorPolicy=org.apereo.cas.services. > DefaultRegisteredServiceMultifactorPolicy@6dd174aa[ > multifactorAuthenticationProviders=[],failureMode=CLOSED, > principalAttributeNameTrigger=<null>,principalAttributeValueToMatch > =<null>,clientId=fb3s86QV9QKl,approvalPrompt=false, > generateRefreshToken=false,jsonFormat=false,jwks=<null>,signIdToken=false > ]> > > 2016-12-12 13:09:40,228 DEBUG > [org.apereo.cas.support.oauth.validator.OAuthValidator] > - <Found: org.apereo.cas.services.OidcRegisteredService@ > 66d09fb6[attributeFilter=<null>,principalAttributesRepository= > org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepo > sitory@2027a3cc[],authorizedToReleaseCredentialPassword=false, > authorizedToReleaseProxyGrantingTicket=false], > accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccess > Strategy@f9e67c0[enabled=true,ssoEnabled=true,requireAllAttributes=false, > requiredAttributes={},unauthorizedRedirectUrl=<null> > ,caseInsensitive=false,rejectedAttributes={}], > publicKey=<null>,proxyPolicy=org.apereo.cas.services. > RefuseRegisteredServiceProxyPolicy@2e202d9f,logo=<null>,logoutUrl=<null>, > requiredHandlers=[],properties={},multifactorPolicy=org.apereo. > cas.services.DefaultRegisteredServiceMultifactorPolicy@6dd174aa[ > multifactorAuthenticationProviders=[],failureMode=CLOSED, > principalAttributeNameTrigger=<null>,principalAttributeValueToMatch > =<null>,clientId=fb3s86QV9QKl,approvalPrompt=false, > generateRefreshToken=false,jsonFormat=false,jwks=<null>,signIdToken=false] > vs redirectUri: http://localhost:8080/oauth_client> > > 2016-12-12 13:09:40,228 ERROR > [org.apereo.cas.support.oauth.web.OAuth20AuthorizeController] > - <Authorize request verification fails> > > > > > > Thanks in advance for any help. > > -- > - CAS gitter chatroom: https://gitter.im/apereo/cas > - CAS mailing list guidelines: https://apereo.github.io/cas/ > Mailing-Lists.html > - CAS documentation website: https://apereo.github.io/cas > - CAS project website: https://github.com/apereo/cas > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/3ed93ca6-db04-4734-a86a- > 4d6938f4576f%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/3ed93ca6-db04-4734-a86a-4d6938f4576f%40apereo.org?utm_medium=email&utm_source=footer> > . > > -- > - CAS gitter chatroom: https://gitter.im/apereo/cas > - CAS mailing list guidelines: https://apereo.github.io/cas/ > Mailing-Lists.html > - CAS documentation website: https://apereo.github.io/cas > - CAS project website: https://github.com/apereo/cas > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/026601d2557d%24488f0090% > 24d9ad01b0%24%40unicon.net > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/026601d2557d%24488f0090%24d9ad01b0%24%40unicon.net?utm_medium=email&utm_source=footer> > . > -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LzL25-kX9a6wLoePCL-wGvn2P2K1FxqFzSuze-C57LMfg%40mail.gmail.com.
