I don't get any info log when I try to access the service (which I find weird by the way). Debug return : 2022-05-05 15:05:18,699 DEBUG [org.springframework.security.web.FilterChainProxy] - <Securing GET /oidc/authorize?response_type=code&redirect_uri=https%3A%2F% 2Fxxxx.callback.oauth.domain.com &scope=openid+email+profile+offline_access&state=abcdef&client_id=appoidc> 2022-05-05 15:05:18,699 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] - <Set SecurityContextHolder to empty SecurityContext> 2022-05-05 15:05:18,699 DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] - <Set SecurityContextHolder to anonymous SecurityContext> 2022-05-05 15:05:18,699 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] - <Authorized public object filter invocation [GET /oidc/authorize?response_type=code&redirect_uri=https%3A%2F%2F xxxx.callback.oauth.domain.com &scope=openid+email+profile+offline_access&state=abcdef&client_id=appoidc]> 2022-05-05 15:05:18,699 DEBUG [org.springframework.security.web.FilterChainProxy] - <Secured GET /oidc/authorize?response_type=code&redirect_uri=https%3A%2F%2F xxxx.callback.oauth.domain.com &scope=openid+email+profile+offline_access&state=abcdef&client_id=appoidc> 2022-05-05 15:05:18,721 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - <Did not store anonymous SecurityContext> 2022-05-05 15:05:18,722 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - <Did not store anonymous SecurityContext> 2022-05-05 15:05:18,722 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] - <Cleared SecurityContextHolder to complete request>
even if i don't see any error in the logs, my problem could be the same as yours... I'm going to define the X-Forwarded-Proto in the apache virtualHost. Thank you for your advice. Le jeu. 5 mai 2022 à 14:43, Petr Fišer <petr.fiser...@gmail.com> a écrit : > Hello, > Do not focus on the service loading, look at the logs from the time you > are actually trying to access the service. That should help you more. > > > Hm... your HTTPd does SSL offloading. That might be the case... I faced > similar problem with my https/443 -> http/8080 proxy. > I am not sure if that applies to AJP proxying too, but i *think* AJP > should transfer scheme information... anyway, I will describe the problem I > was having. Just in case. > > > I was running https/443 (nGinx) -> http/8080 proxy (standalone Tomcat + > CAS .war). Older CAS (6.2.x) was working fine with my OIDC configuration, > newer (6.5.x) was not. I was getting the same error as you do. > My server prefix was https://am.something.tld/cas, so I set the OIDC > Issuer to https://am.something.tld/cas/oidc . All good here. > > In 6.5.x there is some additional matching/checking of the OIDC issuer > against incoming OIDC requests and/or service callbacks in the CAS itself. > I got one line in the log which was something like: > > *the request **https**://am.something.tld/cas/oidc/authorize?=... > does not match oidc issuer **http**://am.something.tld/cas/oidc* > > See the "http" in the matching rule where the "https" should be? The > problem here was in bad uri scheme information getting to the CAS. CAS gets > the info from X-Forwarded-Proto header, and from the Tomcat connector > object (Java representation of the HTTP connector inside the application > container). Basically, CAS thought I was running plain HTTP because the > Tomcat connector obejct *is* plain http for the backend server and I was > not giving it the X-Forwarded-Proto header. > > I had to make sure my proxy is setting correct X-Forwarded-Proto and > Tomcat propagates it to the application via RemoteIpValve. > Once I did this, things started working. > > Cheers, > Fiisch > > On 05/05/2022 02:01 PM, wouldsmina wrote: > > Hello Fiisch, > > Yes debug logging is enabled, but nothing interesting. Service file is > correctly loaded : > [2022-05-05 12:10:03] [info] #033[36m2022-05-05 12:10:03,277 DEBUG > [org.apereo.cas.services.resource.AbstractResourceBasedServiceRegistry] - > <Attempting to read and parse > [/etc/cas/services/appoidc-1624798320.json]>#033[m > [2022-05-05 12:10:03] [info] #033[36m2022-05-05 12:10:03,277 DEBUG > [org.apereo.cas.oidc.services.OidcServiceRegistryListener] - <Mapped > [email] to attribute release policy > [OidcEmailScopeAttributeReleasePolicy]>#033[m > [2022-05-05 12:10:03] [info] #033[36m2022-05-05 12:10:03,277 DEBUG > [org.apereo.cas.oidc.services.OidcServiceRegistryListener] - <Mapped > [profile] to attribute release policy > [OidcProfileScopeAttributeReleasePolicy]>#033[m > [2022-05-05 12:10:03] [info] #033[36m2022-05-05 12:10:03,277 DEBUG > [org.apereo.cas.oidc.services.OidcServiceRegistryListener] - <Given scope > [offline_access], service [1624798320] is marked to generate refresh > tokens>#033[m > > The CAS server is behind a proxy (apache) like my CAS 6.1 : > > <VirtualHost *:443> > ServerAdmin s...@domain.fr > ServerName cas-test.domain.fr > > DocumentRoot /var/www/cas-test > AccessFileName .htaccess > > <Directory /> > Options FollowSymLinks > AllowOverride None > Allow from all > </Directory> > <Directory /var/www/> > Options FollowSymLinks MultiViews > AllowOverride AuthConfig > Order allow,deny > Allow from all > </Directory> > > ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ > <Directory "/usr/lib/cgi-bin"> > AllowOverride None > Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch > Order allow,deny > Allow from all > </Directory> > > LogLevel warn > ErrorLog ${APACHE_LOG_DIR}/cas-test-error.log > CustomLog ${APACHE_LOG_DIR}/cas-test-ssl_access.log combined > > Alias /doc/ "/usr/share/doc/" > <Directory "/usr/share/doc/"> > Options MultiViews FollowSymLinks > AllowOverride None > Order deny,allow > Deny from all > Allow from 127.0.0.0/255.0.0.0 ::1/128 > </Directory> > > SSLEngine on > > <FilesMatch "\.(cgi|shtml|phtml|php)$"> > SSLOptions +StdEnvVars > </FilesMatch> > <Directory /usr/lib/cgi-bin> > SSLOptions +StdEnvVars > </Directory> > > BrowserMatch ".*.*" \ > nokeepalive ssl-unclean-shutdown \ > downgrade-1.0 force-response-1.0 > > ProxyPass /cas ajp://spartana-b2.domain.fr:8010/cas > </VirtualHost> > > Regards. > > > Le jeu. 5 mai 2022 à 11:02, Petr Fišer <petr.fiser...@gmail.com> a écrit : > >> Hello, >> Do you have DEBUG logging enabled? Is there anything interesting in the >> logs? >> Also, what is your setup? Are you running behind a proxy, perchance? >> >> Cheers, >> Fiisch >> >> On 05/05/2022 09:27 AM, wouldsmina wrote: >> >> I had no properties in cas.properties for oidc. I added >> cas.authn.oidc.core.issuer like in the documentation, but it doesn't change >> anything. >> Cas.log and catalina.log return no warn on a replaced attribute and the >> service file is loaded correctly. >> >> Looks like the regex in serviceId is not working (yet the same works on >> cas 6.1). >> >> Regards. >> >> Le mer. 4 mai 2022 à 19:39, Ray Bon <r...@uvic.ca> a écrit : >> >>> I meant search for the property that you are currently using. >>> There should be a note about the name of the new property. >>> >>> Ray >>> >>> On Wed, 2022-05-04 at 17:38 +0200, wouldsmina wrote: >>> >>> Notice: This message was sent from outside the University of Victoria >>> email system. Please be cautious with links and sensitive information. >>> >>> Thank you Ray. the file contains nearly 80,000 lines... it's not going >>> to be easy to find my way around. I will still try to find a solution, >>> but if someone can guide me more, I'm interested. >>> >>> >>> Le mar. 3 mai 2022 à 17:56, Ray Bon <r...@uvic.ca> a écrit : >>> >>> Said, >>> >>> Some of the property names may have changed. >>> Run this command to get the list of all properties: >>> >>> ./gradlew exportConfigMetadata >>> >>> then search for the properties you are using. >>> >>> See, >>> https://github.com/apereo/cas-overlay-template/tree/6.5#configuration-metadata >>> >>> Ray >>> >>> On Tue, 2022-05-03 at 05:08 -0700, Said b wrote: >>> >>> Notice: This message was sent from outside the University of Victoria >>> email system. Please be cautious with links and sensitive information. >>> >>> >>> Hello, >>> >>> I am using OpenID connect with CAS 6.1.7. I installed CAS 6.5.3 in >>> test, but I get an error (Application not authorized to use CAS) while the >>> service file is identical. Is there a configuration change between 6.1 >>> and 6.5? I don't see anything in the documentation. >>> Service file : >>> { >>> "id": 1624798320, >>> "name": "AppOIDC", >>> "description": "mobile app", >>> "evaluationOrder":99, >>> "@class": "org.apereo.cas.services.OidcRegisteredService", >>> "supportedGrantTypes": [ >>> "java.util.HashSet", >>> [ >>> "authorization_code", >>> "refresh_token" >>> ] >>> ], >>> "clientId": "mobileapp", >>> "clientSecret": "xxxxxxxxxxxxxxxxxxxxxxxxxx", >>> "serviceId": "^https://service.callback.oauth.domain.com$";, >>> "scopes": [ >>> "java.util.HashSet", >>> [ >>> "profile", >>> "email", >>> "offline_access" >>> ] >>> ] >>> "attributeReleasePolicy" : { >>> "@class" : >>> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", >>> "allowedAttributes" : [ "java.util.ArrayList", ["sn", >>> "givenName" ] ] >>> >>> }, >>> } >>> >>> Regards. >>> >>> -- >>> >>> >>> Ray Bon >>> Programmer Analyst >>> Development Services, University Systems >>> 2507218831 | CLE 019 | r...@uvic.ca >>> >>> I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional >>> territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ >>> peoples whose historical relationships with the land continue to this day. >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to cas-user+unsubscr...@apereo.org. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b2c1e72d4e772cd0546ce898cf76ea5cace25b26.camel%40uvic.ca >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b2c1e72d4e772cd0546ce898cf76ea5cace25b26.camel%40uvic.ca?utm_medium=email&utm_source=footer> >>> . >>> >>> -- >>> >>> Ray Bon >>> Programmer Analyst >>> Development Services, University Systems >>> 2507218831 | CLE 019 | r...@uvic.ca >>> >>> I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional >>> territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ >>> peoples whose historical relationships with the land continue to this day. >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to cas-user+unsubscr...@apereo.org. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/8b624c61e6153b92b3457aa74e45741274a1adfb.camel%40uvic.ca >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/8b624c61e6153b92b3457aa74e45741274a1adfb.camel%40uvic.ca?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cas-user+unsubscr...@apereo.org. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNbTpSQeO9ZK6JKC4%2Bp3TZ_6bsbJYCLniYTtA8LsTAGi%2Bg%40mail.gmail.com >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNbTpSQeO9ZK6JKC4%2Bp3TZ_6bsbJYCLniYTtA8LsTAGi%2Bg%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNZkyctP2H5C2ioEFM9L2x0RFPCdctc0JinbXp61Z_Fn1w%40mail.gmail.com.
