Hi, I'm having the same problem with:* java.lang.IllegalArgumentException: Unable to locate authentication profile*
*In cas properties: * cas.authn.oidc.core.issuer=*https://catalin-pc.local/cas/oidc* *the json service registry (I have only this)* { "@class" : "org.apereo.cas.services.OidcRegisteredService", "clientId": "*client_id*", "clientSecret": "*client_secret*", "serviceId" : "*^(https?)://.**", "name" : "Oauth2OIDC", "id" : 103935657744184, "evaluationOrder" : 1, "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy" } } The client app/service is using spring boot (2.5.5) /spring security The application.yml (please ignore the formatting of the yml) debug: false spring: security: oauth2: client: registration: *cas*: client-id: *client_id* client-secret: *client_secret* authorization-grant-type: authorization_code client-authentication-method: client_secret_basic scope: openid, profile *github*: client-id: ........ client-secret: ..... provider: cas: issuer-uri: *https://catalin-pc.local/cas/oidc* Spring security config below (simple as possible) @*Configuration* @*EnableWebSecurity* public class WebPortalSecurity extends *WebSecurityConfigurerAdapter *{ @Autowired private ClientRegistrationRepository clientRegistrationRepository; @Override public void configure(HttpSecurity http) throws Exception { *// I tried here to specify the CAS login page (here I'm getting that the service is not authorized to use CAS*) // http.authorizeRequests(authorizeRequests -> authorizeRequests.anyRequest().authenticated()) // .oauth2Login(oauth2-> oauth2.loginPage("https://catalin-pc.local/cas/login?service=https://catalin-pc.local/web-portal")); *// with this code will redirect me to as /oidc/oidcAuthorize?response_type=code and will endup in the profile not found error* -> debugging into the code I was seeing that this profile is somehow pac4j related??? (I also tried to integrate pac4j when doing the log in, but did not help) http.authorizeRequests(authorizeRequests -> authorizeRequests.anyRequest() .authenticated()).oauth2Login(); } } On CAS side I have a dumb implementation of: *AbstractUsernamePasswordAuthenticationHandler* @Override protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(UsernamePasswordCredential upc, String s) throws GeneralSecurityException, PreventedException { final String username = upc.getUsername(); final String password = upc.getPassword(); final HashMap<String, List<Object>> attributes = new HashMap<>(); final ArrayList<Object> value = new ArrayList<>(); * //put some dummy attributes here* attributes.put("profile", value); value.add("oidc profile"); return createHandlerResult(upc, this.principalFactory.createPrincipal (username, attributes)); } this.context.getRequestAttribute("*pac4jUserProfiles*").ifPresent((requestAttribute) -> { profiles.putAll((Map)requestAttribute); }); here that attribute definitely is not present on my flow, hence ending up in the error... The profile will try to be returned like this: (this is pac4j related code). I tried to integrate a pac4j authentication like this: https://apereo.github.io/cas/development/authentication/Pac4j-Authentication.html#overview I'm only interested now in the happy flow, so that with that dumb authenticator, similar with my simplified one that does no checks Things to note: - I tried to minimize things so I removed any pages changes we had or other custom things to keep CAS as close to the overlay template that is being provided - I tried some 6.4.X versionsm, 6.5.1, and 6.6.0-RC1 (same issue), I wanted to try latest version of 6.3.X but there were some issues with java17 and spring version - From the above app/service spring security configuration, I'm able to do a login with github (the flow seems to be similar, it goes to that authorize, and if I'm not logged in in github, I'm seeing the github login page) - I can authenticate to *https://.../cas/login *-> with the code provided above, as well I'm seeing those attribute in the principal and I'm seeing the authentication - If I try to authenticate like this: *https://.../cas/login?service=https:// *then I'm getting *Application Not Authorized to Use CAS, *even though in the service registry I added a broader pattern to match the service id: *^(https?)://.** - If I try to access directly the app, then i get this: - .well-known works properly, - java.lang.IllegalArgumentException: *Unable to locate authentication profile* at org.apereo.cas.support.oauth.web.endpoints.OAuth20AuthorizeEndpointController.lambda$redirectToCallbackRedirectUrl$0(OAuth20AuthorizeEndpointController.java:170) Any hints on what I might be doing wrong are highly appreciated Thanks, C On Tuesday, January 11, 2022 at 10:57:13 AM UTC+2 Frédéric Lohier wrote: > Hello, > > I haven't had any issue with the .well-known URL in CAS 6.3.x and CAS > 6.4.x. Have you set all the other relevant OIDC settings? (claims, scopes, > keys, etc. ?). > > -Frederic > > On Tue, Jan 11, 2022 at 9:26 AM Guillaume EGRON <capla...@gmail.com> > wrote: > >> We did not run any tests on the 6.4.x branch since my original post, we >> choose to stay with 6.3.x >> I've just build a new 6.4.4.2 CAS overlay template but still facing the >> issue. >> I take a look back at the OpenID Connect documentation >> https://apereo.github.io/cas/6.4.x/authentication/OIDC-Authentication.html#configuration, >> >> fix the property cas.authn.oidc.core.issuer (according to the >> documentation, there was an unecessary trailing slash in my previous >> configuration). The property looks like this now : >> >> cas.authn.oidc.core.issuer=${cas.server.name}/cas/oidc >> >> But, that does not fix the issue >> >> https://localhost:8443/cas/oidc/.well-known still redirects to a 404 >> error page >> Le mardi 11 janvier 2022 à 05:29:21 UTC+1, Vaibhav Narula a écrit : >> >>> We are also seeing the same issue in 6.4.4.2 . Were you able to Solve >>> this issue ? >>> >>> On Wednesday, 25 August 2021 at 03:50:43 UTC-6 Guillaume EGRON wrote: >>> >>>> Hi, >>>> building a cas overlay using cas initializr >>>> >>>> {"version":"6.4.0","bootVersion":"2.5.4","sync":true,"branch":"6.4","type":"cas"} >>>> >>>> Added OIDC support and test it with the sample client application found >>>> in the documentation >>>> https://apereo.github.io/cas/6.4.x/authentication/OIDC-Authentication.html#sample-client-applications >>>> >>>> CAS is deployed inside Apache Tomcat external container. >>>> >>>> Configuration in cas.properties file : >>>> cas.server.name=https://<domain> >>>> cas.server.prefix=${cas.server.name}/cas >>>> cas.authn.oidc.core.issuer=${cas.server.prefix}/oidc/ >>>> >>>> https://<domain>/cas/oidc/.well-known redirects to a 404 error page >>>> >>>> Client app redirects to CAS login page successfully, after submitting >>>> login and password, CAS redirects to Application Not Authorized to Use CAS. >>>> In the log file, found this message >>>> : [org.apereo.cas.oidc.util.OidcRequestSupport] - <Issuer >>>> [https://<domain>/cas/oidc] defined in CAS configuration does not match >>>> the >>>> request issuer [http://<domain>/cas/oidc/authorize]> >>>> >>>> Note that the request issuer in http (not https) and the ending >>>> /authorize endpoint >>>> >>>> Fix the cas.properties as follow >>>> cas.authn.oidc.core.issuer=http://<domain>/cas/oidc/authorize >>>> >>>> Restart CAS >>>> >>>> Client app redirects to CAS login page with error >>>> java.lang.IllegalArgumentException: Unable to locate authentication >>>> profile >>>> at >>>> org.apereo.cas.support.oauth.web.endpoints.OAuth20AuthorizeEndpointController.lambda$redirectToCallbackRedirectUrl$0(OAuth20AuthorizeEndpointController.java:164) >>>> at java.base/java.util.Optional.orElseThrow(Optional.java:408) >>>> at >>>> org.apereo.cas.support.oauth.web.endpoints.OAuth20AuthorizeEndpointController.redirectToCallbackRedirectUrl(OAuth20AuthorizeEndpointController.java:164) >>>> at >>>> org.apereo.cas.support.oauth.web.endpoints.OAuth20AuthorizeEndpointController.handleRequest(OAuth20AuthorizeEndpointController.java:87) >>>> at >>>> org.apereo.cas.oidc.web.controllers.authorize.OidcAuthorizeEndpointController.handleRequest(OidcAuthorizeEndpointController.java:49) >>>> >>>> Downgrade CAS to CAS 6.4.0-RC6 >>>> Configuration in cas.properties file : >>>> cas.server.name=https://<domain> >>>> cas.server.prefix=${cas.server.name}/cas >>>> cas.authn.oidc.core.issuer=${cas.server.prefix}/oidc/ >>>> >>>> https://<domain>/cas/oidc/.well-known redirect to a 404 error page >>>> >>>> Property cas.authn.oidc.core.issuer=${cas.server.prefix}/oidc/ leads to >>>> [org.apereo.cas.oidc.util.OidcRequestSupport] - <Issuer >>>> [https://<domain>/cas/oidc] defined in CAS configuration does not match >>>> the >>>> request issuer [http://<domain>/cas/oidc/authorize]> >>>> >>>> Fix the cas.properties as follow >>>> cas.authn.oidc.core.issuer=http://<domain>/cas/oidc/authorize >>>> >>>> Restart CAS >>>> >>>> Client app redirects to CAS login page successfully, after submitting >>>> login and password, CAS redirects to Claims authorizarion page. Submit it >>>> Browser redirect >>>> to >>>> https://<client_app_domain>:9443/simple-web-app/openid_connect_login?code=OC-x-xxxx&state=zzz&nonce=yy >>>> >>>> and display "HTTP ERROR 401 Authentication Failed: Unable to obtain Access >>>> Token: 404" >>>> >>>> Downgrade CAS to CAS 6.4.0-RC5 >>>> Configuration in cas.properties file : >>>> cas.server.name=https://<domain> >>>> cas.server.prefix=${cas.server.name}/cas >>>> cas.authn.oidc.core.issuer=${cas.server.prefix}/oidc/ >>>> >>>> https://<domain>/cas/oidc/.well-known redirect successfully >>>> >>>> Client app redirects to CAS login page successfully, after submitting >>>> login and password, CAS redirects to Claims authorizarion page. Submit it >>>> Client app displays ID Token and User Info >>>> >>>> Did I miss some configurations inside cas.properties starting from CAS >>>> 6.4.0 RC6 ? >>>> Or is there a bug here ? >>>> >>> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cas-user+u...@apereo.org. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/9b6bb625-0458-4ae3-8a61-4776af2a2a85n%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/9b6bb625-0458-4ae3-8a61-4776af2a2a85n%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/90b312f7-1a2e-4db7-8cf2-db220555d0a5n%40apereo.org.