Hello,
Do not focus on the service loading, look at the logs from the time you
are actually trying to access the service. That should help you more.
Hm... your HTTPd does SSL offloading. That might be the case... I faced
similar problem with my https/443 -> http/8080 proxy.
I am not sure if that applies to AJP proxying too, but i *think* AJP
should transfer scheme information... anyway, I will describe the
problem I was having. Just in case.
I was running https/443 (nGinx) -> http/8080 proxy (standalone Tomcat +
CAS .war). Older CAS (6.2.x) was working fine with my OIDC
configuration, newer (6.5.x) was not. I was getting the same error as
you do.
My server prefix was https://am.something.tld/cas, so I set the OIDC
Issuer to https://am.something.tld/cas/oidc . All good here.
In 6.5.x there is some additional matching/checking of the OIDC issuer
against incoming OIDC requests and/or service callbacks in the CAS itself.
I got one line in the log which was something like:
/the request //*https*//://am.something.tld/cas/oidc/authorize?=... does
not match oidc issuer //*http*//://am.something.tld/cas/oidc/
See the "http" in the matching rule where the "https" should be? The
problem here was in bad uri scheme information getting to the CAS. CAS
gets the info from X-Forwarded-Proto header, and from the Tomcat
connector object (Java representation of the HTTP connector inside the
application container). Basically, CAS thought I was running plain HTTP
because the Tomcat connector obejct *is* plain http for the backend
server and I was not giving it the X-Forwarded-Proto header.
I had to make sure my proxy is setting correct X-Forwarded-Proto and
Tomcat propagates it to the application via RemoteIpValve.
Once I did this, things started working.
Cheers,
Fiisch
On 05/05/2022 02:01 PM, wouldsmina wrote:
Hello Fiisch,
Yes debug logging is enabled, but nothing interesting. Service file is
correctly loaded :
[2022-05-05 12:10:03] [info] #033[36m2022-05-05 12:10:03,277 DEBUG
[org.apereo.cas.services.resource.AbstractResourceBasedServiceRegistry]
- <Attempting to read and parse
[/etc/cas/services/appoidc-1624798320.json]>#033[m
[2022-05-05 12:10:03] [info] #033[36m2022-05-05 12:10:03,277 DEBUG
[org.apereo.cas.oidc.services.OidcServiceRegistryListener] - <Mapped
[email] to attribute release policy
[OidcEmailScopeAttributeReleasePolicy]>#033[m
[2022-05-05 12:10:03] [info] #033[36m2022-05-05 12:10:03,277 DEBUG
[org.apereo.cas.oidc.services.OidcServiceRegistryListener] - <Mapped
[profile] to attribute release policy
[OidcProfileScopeAttributeReleasePolicy]>#033[m
[2022-05-05 12:10:03] [info] #033[36m2022-05-05 12:10:03,277 DEBUG
[org.apereo.cas.oidc.services.OidcServiceRegistryListener] - <Given
scope [offline_access], service [1624798320] is marked to generate
refresh tokens>#033[m
The CAS server is behind a proxy (apache) like my CAS 6.1 :
<VirtualHost *:443>
ServerAdmin s...@domain.fr <mailto:s...@domain.fr>
ServerName cas-test.domain.fr <http://cas-test.domain.fr>
DocumentRoot /var/www/cas-test
AccessFileName .htaccess
<Directory />
Options FollowSymLinks
AllowOverride None
Allow from all
</Directory>
<Directory /var/www/>
Options FollowSymLinks MultiViews
AllowOverride AuthConfig
Order allow,deny
Allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/cas-test-error.log
CustomLog ${APACHE_LOG_DIR}/cas-test-ssl_access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 <http://127.0.0.0/255.0.0.0> ::1/128
</Directory>
SSLEngine on
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch ".*.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
ProxyPass /cas ajp://spartana-b2.domain.fr:8010/cas
<http://spartana-b2.domain.fr:8010/cas>
</VirtualHost>
Regards.
Le jeu. 5 mai 2022 à 11:02, Petr Fišer <petr.fiser...@gmail.com
<mailto:petr.fiser...@gmail.com>> a écrit :
Hello,
Do you have DEBUG logging enabled? Is there anything interesting
in the logs?
Also, what is your setup? Are you running behind a proxy, perchance?
Cheers,
Fiisch
On 05/05/2022 09:27 AM, wouldsmina wrote:
I had no properties in cas.properties for oidc. I added
cas.authn.oidc.core.issuer like in the documentation, but it
doesn't change anything.
Cas.log and catalina.log return no warn on a replaced attribute
and the service file is loaded correctly.
Looks like the regex in serviceId is not working (yet the same
works on cas 6.1).
Regards.
Le mer. 4 mai 2022 à 19:39, Ray Bon <r...@uvic.ca
<mailto:r...@uvic.ca>> a écrit :
I meant search for the property that you are currently using.
There should be a note about the name of the new property.
Ray
On Wed, 2022-05-04 at 17:38 +0200, wouldsmina wrote:
Notice: This message was sent from outside the University of
Victoria email system. Please be cautious with links and
sensitive information.
Thank you Ray. the file contains nearly 80,000 lines... it's
not going to be easy to find my way around. I will still try
to find a solution, but if someone can guide me more, I'm
interested.
Le mar. 3 mai 2022 à 17:56, Ray Bon <r...@uvic.ca
<mailto:r...@uvic.ca>> a écrit :
Said,
Some of the property names may have changed.
Run this command to get the list of all properties:
./gradlew exportConfigMetadata
then search for the properties you are using.
See,
https://github.com/apereo/cas-overlay-template/tree/6.5#configuration-metadata
Ray
On Tue, 2022-05-03 at 05:08 -0700, Said b wrote:
Notice: This message was sent from outside the University
of Victoria email system. Please be cautious with links
and sensitive information.
Hello,
I am using OpenID connect with CAS 6.1.7. I installed CAS
6.5.3 in test, but I get an error (Application not
authorized to use CAS) while the service file is
identical.Is there a configuration change between 6.1 and
6.5? I don't see anything in the documentation.
Service file :
{
"id": 1624798320,
"name": "AppOIDC",
"description": "mobile app",
"evaluationOrder":99,
"@class": "org.apereo.cas.services.OidcRegisteredService",
"supportedGrantTypes": [
"java.util.HashSet",
[
"authorization_code",
"refresh_token"
]
],
"clientId": "mobileapp",
"clientSecret": "xxxxxxxxxxxxxxxxxxxxxxxxxx",
"serviceId": "^https://service.callback.oauth.domain.com$";,
"scopes": [
"java.util.HashSet",
[
"profile",
"email",
"offline_access"
]
]
"attributeReleasePolicy" : {
"@class" :
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", ["sn",
"givenName" ] ]
},
}
Regards.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca <mailto:r...@uvic.ca>
I acknowledge and respect the lək̓ʷəŋən peoples on whose
traditional territory the university stands, and the
Songhees, Esquimalt and WSÁNEĆ peoples whose historical
relationships with the land continue to this day.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the
Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails
from it, send an email to cas-user+unsubscr...@apereo.org
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b2c1e72d4e772cd0546ce898cf76ea5cace25b26.camel%40uvic.ca
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/b2c1e72d4e772cd0546ce898cf76ea5cace25b26.camel%40uvic.ca?utm_medium=email&utm_source=footer>.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca <mailto:r...@uvic.ca>
I acknowledge and respect the lək̓ʷəŋən peoples on whose
traditional territory the university stands, and the
Songhees, Esquimalt and WSÁNEĆ peoples whose historical
relationships with the land continue to this day.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the
Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to cas-user+unsubscr...@apereo.org
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8b624c61e6153b92b3457aa74e45741274a1adfb.camel%40uvic.ca
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/8b624c61e6153b92b3457aa74e45741274a1adfb.camel%40uvic.ca?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the
Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to cas-user+unsubscr...@apereo.org
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNbTpSQeO9ZK6JKC4%2Bp3TZ_6bsbJYCLniYTtA8LsTAGi%2Bg%40mail.gmail.com
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNbTpSQeO9ZK6JKC4%2Bp3TZ_6bsbJYCLniYTtA8LsTAGi%2Bg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e0fe69a3-eed1-eafd-3b67-01e4c171a219%40gmail.com.
