Jérémie, What do the cas logs say about the authentication event (may need debug level)?
The authorize URL comes after the authentication step. Are you logged in, in that browser? Ray On Tue, 2023-06-27 at 06:30 -0700, Jérémie wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hi, I'm pretty new to cas (6.6.8) and I'm trying to connect an test application to my CAS server using OIDC. I'm used to Okta, Auth0, etc so OIDC is not new to me, just CAS configuration. My Cas is also connected to an AD to sign in. This is my Cas server configuration using OIDC module (org.apereo.cas:cas-server-support-oidc) : # Server server.port=443 # SSL server.ssl.enabled=true server.ssl.key-store=file:{path} server.ssl.key-store-password=xxx server.ssl.key-password=xxx # CAS cas.server.name=https://URL:443 cas.server.prefix=${cas.server.name}/cas cas.logout.followServiceRedirects=true cas.authn.accept.enabled=false # Active Directory cas.authn.ldap[0].type=AUTHENTICATED cas.authn.ldap[0].ldapUrl=ldap://localhost:389 cas.authn.ldap[0].useStartTls=false cas.authn.ldap[0].baseDn=DC=AAA,DC=BBB cas.authn.ldap[0].search-filter=(sAMAccountName={user}) cas.authn.ldap[0].subtreeSearch=true cas.authn.ldap[0].bindDn=USER cas.authn.ldap[0].bindCredential=XXX # OIDC settings cas.authn.oidc.core.issuer=https://URL/cas/oidc cas.authn.oidc.core.skew=5 cas.authn.oidc.jwks.file-system.jwks-file=file:C:\Program Files\Tomcat 9.0\etc\cas\config\keystore.jwks # Encryption/Signing keys cas.tgc.crypto.encryption.key=SN7Vpa8oHvXfh2hDZp8ANxZGRkF1DvKbYLTy_Vip2dI cas.tgc.crypto.signing.key=KwbtZl2y5sidXFMShjVm4PiGwjVQ0Fq-ZBp0A_HUK6IOnoS2h0E5cSfp7vy8uioqX04yKIBXcU0kUm6DRuPCZQ cas.webflow.crypto.signing.key=MltIqyj_vGFgZKFfw8vmoqYIYYu_KEU20AyZaAIDZl_Xjhl0ZGpPNe4h4N7-8p1_pNi-s97TQKb1-INp9VEwEA cas.webflow.crypto.encryption.key=3Mh_pdDFLPCMgacDL6z8SQ --- This is my /etc/config/services file : { "@class": "org.apereo.cas.services.OidcRegisteredService", "serviceId": "https://localhost:3000/callback", --> my app URL "name": "OIDC", "id": 1, "clientId": "41ff9715-bd3e-473c-9888-e2d5a1364c2a", "clientSecret": "SECRET", "bypassApprovalPrompt": true, "generateRefreshToken": true, "evaluationOrder": 10000 } --- This is my test application config (Node.js app) : { "domain": "cas.lyvoc.com/cas/oidc", "clientId": "41ff9715-bd3e-473c-9888-e2d5a1364c2a", } This application was used for other IdP so it won't come from this. When hitting login on it, this is the /authorize URL I'm getting redirected to : https://URL/cas/oidc/authorize?client_id=41ff9715-bd3e-473c-9888-e2d5a1364c2a&acr=http%3A%2F%2Fschemas.openid.net%2Fpape%2Fpolicies%2F2007%2F06%2Fmulti-factor&scope=openid%20profile%20email%20read%3Aall&response_type=code&response_mode=query&state=dGEwS21Ddm52WUNXc254c2ptRmNzQjBOZGNTSGlPZzZ1R1AxVldOTl9lMA%3D%3D&nonce=RUIzY1hEbWJmWDZJYjNWOWh3QVJZcjBBdVNDOGt0RVdjYVl6WEZ1R0tXYQ%3D%3D&redirect_uri=http%3A%2F%2Flocalhost%3A3000&code_challenge=2Mln96FLN8s0qylEMY9yuC7ucbKioF9cGMIYG5B4q8s&code_challenge_method=S256&auth0Client=eyJuYW1lIjoiYXV0aDAtc3BhLWpzIiwidmVyc2lvbiI6IjEuMTkuNCJ9 The issue is that I'm getting redirected to a CAS page, but saying "Authorization Denied". I'm not getting redirected to the authentication page or anything like that : [firefox_u32LfLkefz.png] I'm not finding anything on the net for this. Thanks for any help ! -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a6eb80b08db8b08878f77e316172be94e5569a7d.camel%40uvic.ca.