Hi, Indeed, the OAuth server support has some caveats, most of them will be fixed in master (4.3), but the requirements on the session will remain.
Misagh is perfectly right: the support relies on the web session, so you need session affinity or session replication. Thanks. Best regards, Jérôme 2016-02-21 9:01 GMT+01:00 Misagh Moayyed <[email protected]>: > I had a quick look, and it seems like this sort of issue is fixed in 4.2 > and beyond but I’ll let Jérôme confirm. If so, you may want to give that a > try if you can. > > > > I don’t think you need to have the timeout be long term. The web session > is different from your SSO session. You want to make sure the session > timeout matches the “timeout” of your load balancer. It must be equal or > greater than that setting. Typically, the common norm is somewhere between > 10-15 minutes. > > > > *From:* [email protected] [mailto:[email protected]] *On Behalf Of > *Shailesh > Deshpande > *Sent:* Saturday, February 20, 2016 6:12 AM > *To:* Misagh Moayyed <[email protected]> > *Cc:* CAS Community <[email protected]> > *Subject:* Re: [cas-user] oauth20_callbackUrl is missing from the session > and can not be retrieved > > > > Thanks Misagh for responding. I hope Jérôme could add to this > conversation as well. > > > I am thinking that, session stickiness may might fail "in long term CAS > login". As stickiness session has the timeouts. I am implementing the long > term session for mobile app which is one of the clients. Do I need to make > the session stickiness timeouts also long term in that case? > > > > On Sat, Feb 20, 2016 at 1:25 AM, Misagh Moayyed <[email protected]> > wrote: > > Jérôme would know best, but I think OAuth support in CAS requires some > sort of sticky session or session replication. Certain parameters are > stored into the web session prior to redirects and retrieved afterwards, > and the session is obviously local. This seems like something that can be > improved further. > > > > *From:* [email protected] [mailto:[email protected]] *On Behalf Of > *Shailesh > Deshpande > *Sent:* Friday, February 19, 2016 2:42 PM > *To:* CAS Community <[email protected]> > *Subject:* [cas-user] oauth20_callbackUrl is missing from the session and > can not be retrieved > > > > I am using Apereo Central Authentication Service 4.1.4 > <http://www.apereo.org/cas> version. > > > > I have configured two tomcat servers in the cluster. Both servers have > CAS-oAuth2.0 support enabled. In order to test, I have a sample oAuth 2.0 > client which is requesting the access through my server. I am using > Hazelcast for the Service Registry. > > > > The server is responding correctly without server clustering. However, > when two servers are running, the callbackAuthorize method is erring with > error oauth20_callbackUrl is missing from the session and can not be > retrieved. Please review the logs without and with clustering below. > > > > The CAS documentation does not ask for the session replication across the > servers. So is there something that I am missing? I will really appreciate > someone can help me immediately to resolve this. > > > > ###### Debug log with clustering on ########## > > [DEBUG] 2016-02-19 16:23:39,626 [http-nio-8080-exec-3] [] > org.jasig.cas.support.oauth.web.BaseOAuthWrapperController debug - method : > callbackAuthorize > > [DEBUG] 2016-02-19 16:23:39,626 [http-nio-8080-exec-3] [] > org.jasig.cas.support.oauth.web.OAuth20CallbackAuthorizeController debug - > ticket : null > > [DEBUG] 2016-02-19 16:23:39,626 [http-nio-8080-exec-3] [] > org.jasig.cas.support.oauth.web.OAuth20CallbackAuthorizeController debug - > oauth20_callbackUrl : null > > [ERROR] 2016-02-19 16:23:39,626 [http-nio-8080-exec-3] [] > org.jasig.cas.support.oauth.web.OAuth20CallbackAuthorizeController error - > oauth20_callbackUrl is missing from the session and can not be retrieved. > > > > > > ###### Debug log with clustering OFF ########## > > [DEBUG] 2016-02-19 16:24:54,538 [http-nio-8080-exec-6] [] > org.jasig.cas.support.oauth.web.BaseOAuthWrapperController debug - method : > callbackAuthorize > > [DEBUG] 2016-02-19 16:24:54,539 [http-nio-8080-exec-6] [] > org.jasig.cas.support.oauth.web.OAuth20CallbackAuthorizeController debug - > ticket : ST-8-ZCQEDMoSFN63RmZOXB5P-qual.cas.laureate.net > > [DEBUG] 2016-02-19 16:24:54,539 [http-nio-8080-exec-6] [] > org.jasig.cas.support.oauth.web.OAuth20CallbackAuthorizeController debug - > oauth20_callbackUrl : > https://qual.cas.laureate.net/OAuth2TestApp/oauth2callback > > [DEBUG] 2016-02-19 16:24:54,540 [http-nio-8080-exec-6] [] > org.jasig.cas.support.oauth.web.OAuth20CallbackAuthorizeController debug - > oauth20_state : null > > [DEBUG] 2016-02-19 16:24:54,540 [http-nio-8080-exec-6] [] > org.jasig.cas.support.oauth.web.OAuth20CallbackAuthorizeController debug - > oauth20_callbackUrl : > https://qual.cas.laureate.net/OAuth2TestApp/oauth2callback?code=ST-8-ZCQEDMoSFN63RmZOXB5P-qual.cas.laureate.net > > [DEBUG] 2016-02-19 16:24:54,540 [http-nio-8080-exec-6] [] > org.jasig.cas.support.oauth.web.OAuth20CallbackAuthorizeController debug - > bypassApprovalPrompt : false > > [DEBUG] 2016-02-19 16:24:54,541 [http-nio-8080-exec-6] [] > org.jasig.cas.support.oauth.web.OAuth20CallbackAuthorizeController debug - > serviceName : SampleOauthClient > > > > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > . > > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > . > > > > > > -- > > Shailesh Deshpande > Cell: - 9422003057 > > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > . > > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > . > -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
