Yes, but I don't remember what the issue was being more than a year ago. I am using oauth2.0 endpoints so I'm using /oauth2.0/profile to get the profile back. If you are using OIDC it looks like you should be using cas/oidc/accessToken/ to get a token back first and then a call to /oidc/profile to get the profile using the token you got back in the first request.
On Tue, Mar 6, 2018 at 6:36 PM, Ryan Rolland <[email protected]> wrote: > Did you figure this out? I am having a very similar failure trying to get > the profile on a call to cas/oidc/accessToken/ from either request or > session. I believe it is due to the request being generated from the web > applications back end and not the browser, i.e. no cookie information. > > ProfileManager<U>.retrieveAll(boolean) line: 58 > ProfileManager<U>.get(boolean) line: 35 > OidcAccessTokenEndpointController(OAuth20AccessTokenEndpointController). > verifyAccessTokenRequest(HttpServletRequest, HttpServletResponse) line: > 207 > OidcAccessTokenEndpointController(OAuth20AccessTokenEndpointCont > roller).handleRequest(HttpServletRequest, HttpServletResponse) line: 103 > > > On Thursday, December 15, 2016 at 5:16:20 AM UTC-10, Todd Pratt wrote: >> >> Hi, >> >> I appreciate all the help. That check succeeds, see the log statements >> below. It fails on isRequestAuthenticated in OAuth20AuthorizeController >> https://github.com/apereo/cas/blob/master/support/cas-server >> -support-oauth/src/main/java/org/apereo/cas/support/oauth/ >> web/OAuth20AuthorizeController.java#L85 >> https://github.com/apereo/cas/blob/master/support/cas-server >> -support-oauth/src/main/java/org/apereo/cas/support/oauth/ >> web/OAuth20AuthorizeController.java#L108 >> >> There isn't a profile in the session or request attributes. I printed >> both of those out and couldn't find one for Pac4jConstants.USER_PROFILES >> ("pac4jUserProfile") >> >> >> 2016-12-15 09:53:52,309 DEBUG >> [org.apereo.cas.support.oauth.validator.OAuthValidator] >> - <Check registered service: org.apereo.cas.services.OidcRe >> gisteredService@126030a4[attributeFilter=<null>,princip >> alAttributesRepository=org.apereo.cas.authentication.prin >> cipal.DefaultPrincipalAttributesRepository@7f17e342[],author >> izedToReleaseCredentialPassword=false,authorizedToReleasePro >> xyGrantingTicket=false,allowedAttributes=[]],accessStrategy= >> org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@27dc818c >> [enabled=true,ssoEnabled=true,requireAllAttr >> ibutes=true,requiredAttributes={},unauthorizedRedirectUrl=< >> null>,caseInsensitive=false,rejectedAttributes={}],publicKey >> =<null>,proxyPolicy=org.apereo.cas.services.RefuseRegi >> steredServiceProxyPolicy@5761f513,logo=<null>,logoutUrl >> =<null>,requiredHandlers=[],properties={},multifactorPolicy= >> org.apereo.cas.services.DefaultRegisteredServiceMultifactorP >> olicy@342a60c3[multifactorAuthenticationProviders=[], >> failureMode=CLOSED,principalAttributeNameTrigger=<null>,prin >> cipalAttributeValueToMatch=<null>,clientId=fb3s86QV9QKl,ap >> provalPrompt=false,generateRefreshToken=false,jsonFormat= >> true,jwks=<null>,signIdToken=false]> >> >> 2016-12-15 09:53:52,310 DEBUG >> [org.apereo.cas.support.oauth.validator.OAuthValidator] >> - <Found: org.apereo.cas.services.OidcRegisteredService@126030a4[ >> attributeFilter=<null>,principalAttributesRepository=org. >> apereo.cas.authentication.principal.DefaultPrincipalAttribut >> esRepository@7f17e342[],authorizedToReleaseCredentialPasswor >> d=false,authorizedToReleaseProxyGrantingTicket=false,allowed >> Attributes=[]],accessStrategy=org.apereo.cas.services.Defaul >> tRegisteredServiceAccessStrategy@27dc818c[enabled=true, >> ssoEnabled=true,requireAllAttributes=true,requiredAttributes >> ={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,re >> jectedAttributes={}],publicKey=<null>,proxyPolicy=org. >> apereo.cas.services.RefuseRegisteredServiceProxyPolicy@ >> 5761f513,logo=<null>,logoutUrl=<null>,requiredHandlers=[],pr >> operties={},multifactorPolicy=org.apereo.cas.services.Defaul >> tRegisteredServiceMultifactorPolicy@342a60c3[multifactorAuth >> enticationProviders=[],failureMode=CLOSED,principalAt >> tributeNameTrigger=<null>,principalAttributeValueToMatch=< >> null>,clientId=fb3s86QV9QKl,approvalPrompt=false,generateRef >> reshToken=false,jsonFormat=true,jwks=<null>,signIdToken=false] vs >> redirectUri: http://localhost:8080/oauth_client> >> >> 2016-12-15 09:53:52,313 ERROR [org.apereo.cas.support.oauth. >> web.OAuth20AuthorizeController] - <Authorize request verification fails> >> >> >> On Thursday, December 15, 2016 at 3:27:05 AM UTC-5, leleuj wrote: >>> >>> Hi, >>> >>> Here is the check: https://github.com/apereo/cas/blob/master/support/ >>> cas-server-support-oauth/src/main/java/org/apereo/cas/ >>> support/oauth/validator/OAuth20Validator.java#L78 >>> >>> Can you debug it to see what's going on? >>> >>> Thanks. >>> Best regards, >>> Jérôme >>> >>> >>> 2016-12-14 17:13 GMT+01:00 Todd Pratt <[email protected]>: >>> >>>> Hi Jérôme, >>>> >>>> I've tried several values for serviceId and can't find one that will >>>> work I get the same error each time. I need it to redirect back to >>>> http://localhost:8080/oauth_client. Could you please tell me what I'm >>>> doing wrong with the following >>>> >>>> { >>>> "@class" : "org.apereo.cas.services.OidcRegisteredService", >>>> "clientId": "fb3s86QV9QKl", >>>> "clientSecret": "VgWn3ysT24gZo66K", >>>> "serviceId" : "^http://localhost:8080/oauth_client";, >>>> "signIdToken": "false", >>>> "name": "OIDC", >>>> "id": 1000, >>>> "evaluationOrder": 100 >>>> } >>>> >>>> >>>> >>>> Thank you, >>>> Todd >>>> >>>> >>>> On Wednesday, December 14, 2016 at 3:04:12 AM UTC-5, leleuj wrote: >>>>> >>>>> Hi, >>>>> >>>>> Sure. This error happens when you have not properly configured the >>>>> serviceId of the Oidc service, it must match the redirectUri. >>>>> >>>>> See the documentation: https://apereo.github.io/cas/5 >>>>> .0.x/installation/OIDC-Authentication.html >>>>> >>>>> >>>>> { >>>>> "@class" : "org.apereo.cas.services.OidcRegisteredService", >>>>> "clientId": "client", >>>>> "clientSecret": "secret", >>>>> "serviceId" : "^<https://the-redirect-uri>", >>>>> "signIdToken": true, >>>>> "name": "OIDC", >>>>> "id": 1000, >>>>> "evaluationOrder": 100, >>>>> "jwks": "..."} >>>>> >>>>> >>>>> >>>>> Thanks. >>>>> Best regards, >>>>> Jérôme >>>>> >>>>> >>>>> 2016-12-13 21:12 GMT+01:00 Misagh Moayyed <[email protected]>: >>>>> >>>>>> Feel free to submit an issue. Jérôme might have a few ideas. It would >>>>>> also be helpful if you could pack your client into a shape that can be >>>>>> tested and run by someone else. If you do [and you should], reference its >>>>>> location in the issue. >>>>>> >>>>>> >>>>>> >>>>>> --Misagh >>>>>> >>>>>> >>>>>> >>>>>> *From:* [email protected] [mailto:[email protected]] *On Behalf Of >>>>>> *Todd Pratt >>>>>> *Sent:* Tuesday, December 13, 2016 11:21 AM >>>>>> *To:* CAS Community <[email protected]> >>>>>> *Subject:* [cas-user] Re: Authorize request verification fails with >>>>>> OAuth and CAS 5.0.x >>>>>> >>>>>> >>>>>> >>>>>> The authorization url that is generated is >>>>>> >>>>>> >>>>>> >>>>>> https://cas.mydomain.com:8443/cas/oauth2.0/authorize/?client >>>>>> _id=fb3s86QV9QKl&redirect_uri=http://localhost:8080/oauth_ >>>>>> client&response_type=code&scope=openid >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Monday, December 12, 2016 at 4:51:17 PM UTC-5, Todd Pratt wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> >>>>>> >>>>>> I'm trying to setup OpenID/OAuth2 on CAS 5.0.x using the war overlay >>>>>> template. I included three dependencies, cas-server-support-oidc, >>>>>> cas-server-support-ldap >>>>>> and cas-server-support-json-service-registry. I built the >>>>>> management webapp using that overlay template and I successfully logged >>>>>> into the management app using the ldap authentication I setup. Now I'm >>>>>> trying to setup a service provider for OpenID/OAuth2 and I keep getting >>>>>> an >>>>>> error page with my test application that says "Application Not Authorized >>>>>> to use CAS" instead of redirecting to the login page. I've used this >>>>>> test >>>>>> client with other servers and it seems to work. I enabled debugging and >>>>>> looking through the code it looks it found my provider I defined but then >>>>>> it fails at OAuth20AuthorizeController.isRequestAuthenticated() >>>>>> returns false. The method isRequestAuthenticated() seems to look for a >>>>>> profile in the session which isn't there. Is there something I'm >>>>>> missing? >>>>>> Below is the portion of the log. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> 2016-12-12 13:09:40,226 DEBUG >>>>>> [org.apereo.cas.support.oauth.validator.OAuthValidator] >>>>>> - <client_id: fb3s86QV9QKl> >>>>>> >>>>>> 2016-12-12 13:09:40,227 DEBUG >>>>>> [org.apereo.cas.support.oauth.validator.OAuthValidator] >>>>>> - <redirect_uri: http://localhost:8080/oauth_client> >>>>>> >>>>>> 2016-12-12 13:09:40,227 DEBUG >>>>>> [org.apereo.cas.support.oauth.validator.OAuthValidator] >>>>>> - <response_type: code> >>>>>> >>>>>> 2016-12-12 13:09:40,227 DEBUG [org.apereo.cas.support.oauth. >>>>>> web.OAuth20AuthorizeController] - <Response type: code> >>>>>> >>>>>> 2016-12-12 13:09:40,228 DEBUG >>>>>> [org.apereo.cas.support.oauth.validator.OAuthValidator] >>>>>> - <Check registered service: org.apereo.cas.services.OidcRe >>>>>> gisteredService@66d09fb6[attributeFilter=<null>,princip >>>>>> alAttributesRepository=org.apereo.cas.authentication.prin >>>>>> cipal.DefaultPrincipalAttributesRepository@2027a3cc[],author >>>>>> izedToReleaseCredentialPassword=false,authorizedToReleasePro >>>>>> xyGrantingTicket=false],accessStrategy=org.apereo.cas.servic >>>>>> es.DefaultRegisteredServiceAccessStrategy@f9e67c0[enabled= >>>>>> true,ssoEnabled=true,requireAllAttributes=false,requiredAttr >>>>>> ibutes={},unauthorizedRedirectUrl=<null>,caseInsensitive= >>>>>> false,rejectedAttributes={}],publicKey=<null>,proxyPolicy=or >>>>>> g.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@ >>>>>> 2e202d9f,logo=<null>,logoutUrl=<null>,requiredHandlers=[],pr >>>>>> operties={},multifactorPolicy=org.apereo.cas.services.Defaul >>>>>> tRegisteredServiceMultifactorPolicy@6dd174aa[multifactorAuth >>>>>> enticationProviders=[],failureMode=CLOSED,principalAt >>>>>> tributeNameTrigger=<null>,principalAttributeValueToMatch=< >>>>>> null>,clientId=fb3s86QV9QKl,approvalPrompt=false,generateRef >>>>>> reshToken=false,jsonFormat=false,jwks=<null>,signIdToken=false]> >>>>>> >>>>>> 2016-12-12 13:09:40,228 DEBUG >>>>>> [org.apereo.cas.support.oauth.validator.OAuthValidator] >>>>>> - <Found: org.apereo.cas.services.OidcRegisteredService@66d09fb6[ >>>>>> attributeFilter=<null>,principalAttributesRepository=org. >>>>>> apereo.cas.authentication.principal.DefaultPrincipalAttribut >>>>>> esRepository@2027a3cc[],authorizedToReleaseCredentialPasswor >>>>>> d=false,authorizedToReleaseProxyGrantingTicket=false],access >>>>>> Strategy=org.apereo.cas.services.DefaultRegisteredServiceAcc >>>>>> essStrategy@f9e67c0[enabled=true,ssoEnabled=true,requireAl >>>>>> lAttributes=false,requiredAttributes={},unauthorizedRedirect >>>>>> Url=<null>,caseInsensitive=false,rejectedAttributes={}],p >>>>>> ublicKey=<null>,proxyPolicy=org.apereo.cas.services.RefuseRe >>>>>> gisteredServiceProxyPolicy@2e202d9f,logo=<null>,logoutUrl >>>>>> =<null>,requiredHandlers=[],properties={},multifactorPolicy= >>>>>> org.apereo.cas.services.DefaultRegisteredServiceMultifactorP >>>>>> olicy@6dd174aa[multifactorAuthenticationProviders=[], >>>>>> failureMode=CLOSED,principalAttributeNameTrigger=<null>,prin >>>>>> cipalAttributeValueToMatch=<null>,clientId=fb3s86QV9QKl,ap >>>>>> provalPrompt=false,generateRefreshToken=false,jsonFormat= >>>>>> false,jwks=<null>,signIdToken=false] vs redirectUri: >>>>>> http://localhost:8080/oauth_client> >>>>>> >>>>>> 2016-12-12 13:09:40,228 ERROR [org.apereo.cas.support.oauth. >>>>>> web.OAuth20AuthorizeController] - <Authorize request verification >>>>>> fails> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Thanks in advance for any help. >>>>>> >>>>>> -- >>>>>> - CAS gitter chatroom: https://gitter.im/apereo/cas >>>>>> - CAS mailing list guidelines: https://apereo.github.io/cas/M >>>>>> ailing-Lists.html >>>>>> - CAS documentation website: https://apereo.github.io/cas >>>>>> - CAS project website: https://github.com/apereo/cas >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "CAS Community" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/3ed9 >>>>>> 3ca6-db04-4734-a86a-4d6938f4576f%40apereo.org >>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/3ed93ca6-db04-4734-a86a-4d6938f4576f%40apereo.org?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>>> -- >>>>>> - CAS gitter chatroom: https://gitter.im/apereo/cas >>>>>> - CAS mailing list guidelines: https://apereo.github.io/cas/M >>>>>> ailing-Lists.html >>>>>> - CAS documentation website: https://apereo.github.io/cas >>>>>> - CAS project website: https://github.com/apereo/cas >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "CAS Community" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/0266 >>>>>> 01d2557d%24488f0090%24d9ad01b0%24%40unicon.net >>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/026601d2557d%24488f0090%24d9ad01b0%24%40unicon.net?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>> >>>>> -- >>>> - CAS gitter chatroom: https://gitter.im/apereo/cas >>>> - CAS mailing list guidelines: https://apereo.github.io/cas/M >>>> ailing-Lists.html >>>> - CAS documentation website: https://apereo.github.io/cas >>>> - CAS project website: https://github.com/apereo/cas >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "CAS Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit https://groups.google.com/a/ap >>>> ereo.org/d/msgid/cas-user/78773adf-f671-4347-8b1e-e36aa8ffe7 >>>> 8d%40apereo.org >>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/78773adf-f671-4347-8b1e-e36aa8ffe78d%40apereo.org?utm_medium=email&utm_source=footer> >>>> . >>>> >>> >>> -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to a topic in the > Google Groups "CAS Community" group. > To unsubscribe from this topic, visit https://groups.google.com/a/ > apereo.org/d/topic/cas-user/Mwa_8ePd7Kc/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/b4313f21-604b-4b1f-a81a- > 98fa42e5f7dd%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b4313f21-604b-4b1f-a81a-98fa42e5f7dd%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH7Y6jQDECfG5Ho66_iHttCDtNatheuxOa8upFbP6OZHetNCcg%40mail.gmail.com.
