While testing CAS 7 (RC7), we encountered either a puzzling bug, or some configuration effect we don't understand.
Normally, if we don't specify an application with for /cas/login, after authentication we expect to be directed to a "Log In Successful" page for an unknown target destination that displays the attributes and their values for the user. We've found however, that once we've successfully logged in for a target destination we actually have a service registration for (e.g. "/cas/login?renew=true&service=https%3A%2F%2Fexample%2Ecom" [*], any subsequent attempts to use /cas/login without a target destination always redirects us to the first successful target destination we successfully log in to (e.g., example.com in this case). This even happens after /cas/logout, a new private/incognito browser window, or even a different browser, so it seems to be tied to the CAS server itself. [*] For example, with the following JSON service registration for example.com: { "@class" : "org.apereo.cas.services.CasRegisteredService", "name" : "Example_Default_MFA", "serviceId" : "^https://example\\.com(/.*)*", "description" : "Default MFA Test example.com", "id" : 20230720150127, "evaluationOrder" : 10000009, "multifactorPolicy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy", "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-duo" ] ], "failureMode" : "OPEN" } } If we restart CAS, and try just "/cas/login", we get the expected attributes results page. If we then try "/cas/login?renew=true&service=https%3A%2F%2Fexample%2Ecom", we get the expected example.com page. But if we then try just "/cas/login" again, we are only directed back to example.com as previously described. Only restarting CAS seems to clear the condition. After restart, if we first try it with the example.com target, then without logging out try it without a target using just "/cas/login" we get the expected attributes page. However, if we then logout with "/cas/logout" and then once again use just the target-less "/cas/login", we get directed back to example.com rather than the attributes page. -- Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum descendus pantorum -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL0mezA%3D_xUakzM6GXTAwLEjpVc5K_Q3KOgvnh%3D3%3DSQvaw%40mail.gmail.com.