Did you figure this out? I am having a very similar failure trying to get the profile on a call to cas/oidc/accessToken/ from either request or session. I believe it is due to the request being generated from the web applications back end and not the browser, i.e. no cookie information.
ProfileManager<U>.retrieveAll(boolean) line: 58 ProfileManager<U>.get(boolean) line: 35 OidcAccessTokenEndpointController(OAuth20AccessTokenEndpointController).verifyAccessTokenRequest(HttpServletRequest, HttpServletResponse) line: 207 OidcAccessTokenEndpointController(OAuth20AccessTokenEndpointController).handleRequest(HttpServletRequest, HttpServletResponse) line: 103 On Thursday, December 15, 2016 at 5:16:20 AM UTC-10, Todd Pratt wrote: > > Hi, > > I appreciate all the help. That check succeeds, see the log statements > below. It fails on isRequestAuthenticated in OAuth20AuthorizeController > > https://github.com/apereo/cas/blob/master/support/cas-server-support-oauth/src/main/java/org/apereo/cas/support/oauth/web/OAuth20AuthorizeController.java#L85 > > https://github.com/apereo/cas/blob/master/support/cas-server-support-oauth/src/main/java/org/apereo/cas/support/oauth/web/OAuth20AuthorizeController.java#L108 > > > There isn't a profile in the session or request attributes. I printed > both of those out and couldn't find one for Pac4jConstants.USER_PROFILES > ("pac4jUserProfile") > > > 2016-12-15 09:53:52,309 DEBUG > [org.apereo.cas.support.oauth.validator.OAuthValidator] - <Check registered > service: > org.apereo.cas.services.OidcRegisteredService@126030a4[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@7f17e342[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseProxyGrantingTicket=false,allowedAttributes=[]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@27dc818c[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=<null>,proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@5761f513,logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@342a60c3[multifactorAuthenticationProviders=[],failureMode=CLOSED,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,clientId=fb3s86QV9QKl,approvalPrompt=false,generateRefreshToken=false,jsonFormat=true,jwks=<null>,signIdToken=false]> > > 2016-12-15 09:53:52,310 DEBUG > [org.apereo.cas.support.oauth.validator.OAuthValidator] - <Found: > org.apereo.cas.services.OidcRegisteredService@126030a4[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@7f17e342[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseProxyGrantingTicket=false,allowedAttributes=[]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@27dc818c[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=<null>,proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@5761f513,logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@342a60c3[multifactorAuthenticationProviders=[],failureMode=CLOSED,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,clientId=fb3s86QV9QKl,approvalPrompt=false,generateRefreshToken=false,jsonFormat=true,jwks=<null>,signIdToken=false] > > vs redirectUri: http://localhost:8080/oauth_client> > > 2016-12-15 09:53:52,313 ERROR > [org.apereo.cas.support.oauth.web.OAuth20AuthorizeController] - <Authorize > request verification fails> > > > On Thursday, December 15, 2016 at 3:27:05 AM UTC-5, leleuj wrote: >> >> Hi, >> >> Here is the check: >> https://github.com/apereo/cas/blob/master/support/cas-server-support-oauth/src/main/java/org/apereo/cas/support/oauth/validator/OAuth20Validator.java#L78 >> >> Can you debug it to see what's going on? >> >> Thanks. >> Best regards, >> Jérôme >> >> >> 2016-12-14 17:13 GMT+01:00 Todd Pratt <[email protected]>: >> >>> Hi Jérôme, >>> >>> I've tried several values for serviceId and can't find one that will >>> work I get the same error each time. I need it to redirect back to >>> http://localhost:8080/oauth_client. Could you please tell me what I'm >>> doing wrong with the following >>> >>> { >>> "@class" : "org.apereo.cas.services.OidcRegisteredService", >>> "clientId": "fb3s86QV9QKl", >>> "clientSecret": "VgWn3ysT24gZo66K", >>> "serviceId" : "^http://localhost:8080/oauth_client";, >>> "signIdToken": "false", >>> "name": "OIDC", >>> "id": 1000, >>> "evaluationOrder": 100 >>> } >>> >>> >>> >>> Thank you, >>> Todd >>> >>> >>> On Wednesday, December 14, 2016 at 3:04:12 AM UTC-5, leleuj wrote: >>>> >>>> Hi, >>>> >>>> Sure. This error happens when you have not properly configured the >>>> serviceId of the Oidc service, it must match the redirectUri. >>>> >>>> See the documentation: >>>> https://apereo.github.io/cas/5.0.x/installation/OIDC-Authentication.html >>>> >>>> >>>> { >>>> "@class" : "org.apereo.cas.services.OidcRegisteredService", >>>> "clientId": "client", >>>> "clientSecret": "secret", >>>> "serviceId" : "^<https://the-redirect-uri>", >>>> "signIdToken": true, >>>> "name": "OIDC", >>>> "id": 1000, >>>> "evaluationOrder": 100, >>>> "jwks": "..."} >>>> >>>> >>>> >>>> Thanks. >>>> Best regards, >>>> Jérôme >>>> >>>> >>>> 2016-12-13 21:12 GMT+01:00 Misagh Moayyed <[email protected]>: >>>> >>>>> Feel free to submit an issue. Jérôme might have a few ideas. It would >>>>> also be helpful if you could pack your client into a shape that can be >>>>> tested and run by someone else. If you do [and you should], reference its >>>>> location in the issue. >>>>> >>>>> >>>>> >>>>> --Misagh >>>>> >>>>> >>>>> >>>>> *From:* [email protected] [mailto:[email protected]] *On Behalf Of >>>>> *Todd >>>>> Pratt >>>>> *Sent:* Tuesday, December 13, 2016 11:21 AM >>>>> *To:* CAS Community <[email protected]> >>>>> *Subject:* [cas-user] Re: Authorize request verification fails with >>>>> OAuth and CAS 5.0.x >>>>> >>>>> >>>>> >>>>> The authorization url that is generated is >>>>> >>>>> >>>>> >>>>> >>>>> https://cas.mydomain.com:8443/cas/oauth2.0/authorize/?client_id=fb3s86QV9QKl&redirect_uri=http://localhost:8080/oauth_client&response_type=code&scope=openid >>>>> >>>>> >>>>> >>>>> >>>>> On Monday, December 12, 2016 at 4:51:17 PM UTC-5, Todd Pratt wrote: >>>>> >>>>> Hi, >>>>> >>>>> >>>>> >>>>> I'm trying to setup OpenID/OAuth2 on CAS 5.0.x using the war overlay >>>>> template. I included three dependencies, >>>>> cas-server-support-oidc, cas-server-support-ldap >>>>> and cas-server-support-json-service-registry. I built the management >>>>> webapp using that overlay template and I successfully logged into the >>>>> management app using the ldap authentication I setup. Now I'm trying to >>>>> setup a service provider for OpenID/OAuth2 and I keep getting an error >>>>> page >>>>> with my test application that says "Application Not Authorized to use >>>>> CAS" >>>>> instead of redirecting to the login page. I've used this test client >>>>> with >>>>> other servers and it seems to work. I enabled debugging and looking >>>>> through the code it looks it found my provider I defined but then it >>>>> fails >>>>> at OAuth20AuthorizeController.isRequestAuthenticated() returns false. >>>>> The >>>>> method isRequestAuthenticated() seems to look for a profile in the >>>>> session >>>>> which isn't there. Is there something I'm missing? Below is the portion >>>>> of the log. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> 2016-12-12 13:09:40,226 DEBUG >>>>> [org.apereo.cas.support.oauth.validator.OAuthValidator] - <client_id: >>>>> fb3s86QV9QKl> >>>>> >>>>> 2016-12-12 13:09:40,227 DEBUG >>>>> [org.apereo.cas.support.oauth.validator.OAuthValidator] - <redirect_uri: >>>>> http://localhost:8080/oauth_client> >>>>> >>>>> 2016-12-12 13:09:40,227 DEBUG >>>>> [org.apereo.cas.support.oauth.validator.OAuthValidator] - <response_type: >>>>> code> >>>>> >>>>> 2016-12-12 13:09:40,227 DEBUG >>>>> [org.apereo.cas.support.oauth.web.OAuth20AuthorizeController] - <Response >>>>> type: code> >>>>> >>>>> 2016-12-12 13:09:40,228 DEBUG >>>>> [org.apereo.cas.support.oauth.validator.OAuthValidator] - <Check >>>>> registered >>>>> service: >>>>> org.apereo.cas.services.OidcRegisteredService@66d09fb6[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@2027a3cc[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseProxyGrantingTicket=false],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@f9e67c0[enabled=true,ssoEnabled=true,requireAllAttributes=false,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=<null>,proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@2e202d9f,logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@6dd174aa[multifactorAuthenticationProviders=[],failureMode=CLOSED,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,clientId=fb3s86QV9QKl,approvalPrompt=false,generateRefreshToken=false,jsonFormat=false,jwks=<null>,signIdToken=false >>>>> ]> >>>>> >>>>> 2016-12-12 13:09:40,228 DEBUG >>>>> [org.apereo.cas.support.oauth.validator.OAuthValidator] - <Found: >>>>> org.apereo.cas.services.OidcRegisteredService@66d09fb6[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@2027a3cc[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseProxyGrantingTicket=false],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@f9e67c0[enabled=true,ssoEnabled=true,requireAllAttributes=false,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=<null>,proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@2e202d9f,logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@6dd174aa[multifactorAuthenticationProviders=[],failureMode=CLOSED,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,clientId=fb3s86QV9QKl,approvalPrompt=false,generateRefreshToken=false,jsonFormat=false,jwks=<null>,signIdToken=false] >>>>> >>>>> vs redirectUri: http://localhost:8080/oauth_client> >>>>> >>>>> 2016-12-12 13:09:40,228 ERROR >>>>> [org.apereo.cas.support.oauth.web.OAuth20AuthorizeController] - >>>>> <Authorize >>>>> request verification fails> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> Thanks in advance for any help. >>>>> >>>>> -- >>>>> - CAS gitter chatroom: https://gitter.im/apereo/cas >>>>> - CAS mailing list guidelines: >>>>> https://apereo.github.io/cas/Mailing-Lists.html >>>>> - CAS documentation website: https://apereo.github.io/cas >>>>> - CAS project website: https://github.com/apereo/cas >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "CAS Community" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/3ed93ca6-db04-4734-a86a-4d6938f4576f%40apereo.org >>>>> >>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/3ed93ca6-db04-4734-a86a-4d6938f4576f%40apereo.org?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>>> -- >>>>> - CAS gitter chatroom: https://gitter.im/apereo/cas >>>>> - CAS mailing list guidelines: >>>>> https://apereo.github.io/cas/Mailing-Lists.html >>>>> - CAS documentation website: https://apereo.github.io/cas >>>>> - CAS project website: https://github.com/apereo/cas >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "CAS Community" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/026601d2557d%24488f0090%24d9ad01b0%24%40unicon.net >>>>> >>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/026601d2557d%24488f0090%24d9ad01b0%24%40unicon.net?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> >>>> -- >>> - CAS gitter chatroom: https://gitter.im/apereo/cas >>> - CAS mailing list guidelines: >>> https://apereo.github.io/cas/Mailing-Lists.html >>> - CAS documentation website: https://apereo.github.io/cas >>> - CAS project website: https://github.com/apereo/cas >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/78773adf-f671-4347-8b1e-e36aa8ffe78d%40apereo.org >>> >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/78773adf-f671-4347-8b1e-e36aa8ffe78d%40apereo.org?utm_medium=email&utm_source=footer> >>> . >>> >> >> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b4313f21-604b-4b1f-a81a-98fa42e5f7dd%40apereo.org.
