Thanks for response. Yea, that is exactly what I am doing, i.e. trying to call 'cas/oidc/accessToken' before 'cas/oidc/profile'. The implementation of 'cas/oidc/accessToken' does a profile lookup per the stack trace I gave.
On Wednesday, March 7, 2018 at 4:55:44 AM UTC-10, Todd Pratt wrote: > > Yes, but I don't remember what the issue was being more than a year ago. > I am using oauth2.0 endpoints so I'm using /oauth2.0/profile to get the > profile back. If you are using OIDC it looks like you should be using > cas/oidc/accessToken/ > to get a token back first and then a call to /oidc/profile to get the > profile using the token you got back in the first request. > > On Tue, Mar 6, 2018 at 6:36 PM, Ryan Rolland <[email protected] > <javascript:>> wrote: > >> Did you figure this out? I am having a very similar failure trying to get >> the profile on a call to cas/oidc/accessToken/ from either request or >> session. I believe it is due to the request being generated from the web >> applications back end and not the browser, i.e. no cookie information. >> >> ProfileManager<U>.retrieveAll(boolean) line: 58 >> ProfileManager<U>.get(boolean) line: 35 >> OidcAccessTokenEndpointController(OAuth20AccessTokenEndpointController).verifyAccessTokenRequest(HttpServletRequest, >> >> HttpServletResponse) line: 207 >> OidcAccessTokenEndpointController(OAuth20AccessTokenEndpointController).handleRequest(HttpServletRequest, >> >> HttpServletResponse) line: 103 >> >> >> On Thursday, December 15, 2016 at 5:16:20 AM UTC-10, Todd Pratt wrote: >>> >>> Hi, >>> >>> I appreciate all the help. That check succeeds, see the log statements >>> below. It fails on isRequestAuthenticated in OAuth20AuthorizeController >>> >>> https://github.com/apereo/cas/blob/master/support/cas-server-support-oauth/src/main/java/org/apereo/cas/support/oauth/web/OAuth20AuthorizeController.java#L85 >>> >>> https://github.com/apereo/cas/blob/master/support/cas-server-support-oauth/src/main/java/org/apereo/cas/support/oauth/web/OAuth20AuthorizeController.java#L108 >>> >>> >>> There isn't a profile in the session or request attributes. I printed >>> both of those out and couldn't find one for Pac4jConstants.USER_PROFILES >>> ("pac4jUserProfile") >>> >>> >>> 2016-12-15 09:53:52,309 DEBUG >>> [org.apereo.cas.support.oauth.validator.OAuthValidator] - <Check registered >>> service: >>> org.apereo.cas.services.OidcRegisteredService@126030a4[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@7f17e342[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseProxyGrantingTicket=false,allowedAttributes=[]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@27dc818c[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=<null>,proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@5761f513,logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@342a60c3[multifactorAuthenticationProviders=[],failureMode=CLOSED,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,clientId=fb3s86QV9QKl,approvalPrompt=false,generateRefreshToken=false,jsonFormat=true,jwks=<null>,signIdToken=false]> >>> >>> 2016-12-15 09:53:52,310 DEBUG >>> [org.apereo.cas.support.oauth.validator.OAuthValidator] - <Found: >>> org.apereo.cas.services.OidcRegisteredService@126030a4[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@7f17e342[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseProxyGrantingTicket=false,allowedAttributes=[]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@27dc818c[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=<null>,proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@5761f513,logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@342a60c3[multifactorAuthenticationProviders=[],failureMode=CLOSED,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,clientId=fb3s86QV9QKl,approvalPrompt=false,generateRefreshToken=false,jsonFormat=true,jwks=<null>,signIdToken=false] >>> >>> vs redirectUri: http://localhost:8080/oauth_client> >>> >>> 2016-12-15 09:53:52,313 ERROR >>> [org.apereo.cas.support.oauth.web.OAuth20AuthorizeController] - <Authorize >>> request verification fails> >>> >>> >>> On Thursday, December 15, 2016 at 3:27:05 AM UTC-5, leleuj wrote: >>>> >>>> Hi, >>>> >>>> Here is the check: >>>> https://github.com/apereo/cas/blob/master/support/cas-server-support-oauth/src/main/java/org/apereo/cas/support/oauth/validator/OAuth20Validator.java#L78 >>>> >>>> Can you debug it to see what's going on? >>>> >>>> Thanks. >>>> Best regards, >>>> Jérôme >>>> >>>> >>>> 2016-12-14 17:13 GMT+01:00 Todd Pratt <[email protected]>: >>>> >>>>> Hi Jérôme, >>>>> >>>>> I've tried several values for serviceId and can't find one that will >>>>> work I get the same error each time. I need it to redirect back to >>>>> http://localhost:8080/oauth_client. Could you please tell me what >>>>> I'm doing wrong with the following >>>>> >>>>> { >>>>> "@class" : "org.apereo.cas.services.OidcRegisteredService", >>>>> "clientId": "fb3s86QV9QKl", >>>>> "clientSecret": "VgWn3ysT24gZo66K", >>>>> "serviceId" : "^http://localhost:8080/oauth_client";, >>>>> "signIdToken": "false", >>>>> "name": "OIDC", >>>>> "id": 1000, >>>>> "evaluationOrder": 100 >>>>> } >>>>> >>>>> >>>>> >>>>> Thank you, >>>>> Todd >>>>> >>>>> >>>>> On Wednesday, December 14, 2016 at 3:04:12 AM UTC-5, leleuj wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> Sure. This error happens when you have not properly configured the >>>>>> serviceId of the Oidc service, it must match the redirectUri. >>>>>> >>>>>> See the documentation: >>>>>> https://apereo.github.io/cas/5.0.x/installation/OIDC-Authentication.html >>>>>> >>>>>> >>>>>> { >>>>>> "@class" : "org.apereo.cas.services.OidcRegisteredService", >>>>>> "clientId": "client", >>>>>> "clientSecret": "secret", >>>>>> "serviceId" : "^<https://the-redirect-uri>", >>>>>> "signIdToken": true, >>>>>> "name": "OIDC", >>>>>> "id": 1000, >>>>>> "evaluationOrder": 100, >>>>>> "jwks": "..."} >>>>>> >>>>>> >>>>>> >>>>>> Thanks. >>>>>> Best regards, >>>>>> Jérôme >>>>>> >>>>>> >>>>>> 2016-12-13 21:12 GMT+01:00 Misagh Moayyed <[email protected]>: >>>>>> >>>>>>> Feel free to submit an issue. Jérôme might have a few ideas. It >>>>>>> would also be helpful if you could pack your client into a shape that >>>>>>> can >>>>>>> be tested and run by someone else. If you do [and you should], >>>>>>> reference >>>>>>> its location in the issue. >>>>>>> >>>>>>> >>>>>>> >>>>>>> --Misagh >>>>>>> >>>>>>> >>>>>>> >>>>>>> *From:* [email protected] [mailto:[email protected]] *On Behalf >>>>>>> Of *Todd Pratt >>>>>>> *Sent:* Tuesday, December 13, 2016 11:21 AM >>>>>>> *To:* CAS Community <[email protected]> >>>>>>> *Subject:* [cas-user] Re: Authorize request verification fails with >>>>>>> OAuth and CAS 5.0.x >>>>>>> >>>>>>> >>>>>>> >>>>>>> The authorization url that is generated is >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> https://cas.mydomain.com:8443/cas/oauth2.0/authorize/?client_id=fb3s86QV9QKl&redirect_uri=http://localhost:8080/oauth_client&response_type=code&scope=openid >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Monday, December 12, 2016 at 4:51:17 PM UTC-5, Todd Pratt wrote: >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> >>>>>>> >>>>>>> I'm trying to setup OpenID/OAuth2 on CAS 5.0.x using the war overlay >>>>>>> template. I included three dependencies, >>>>>>> cas-server-support-oidc, cas-server-support-ldap >>>>>>> and cas-server-support-json-service-registry. I built the management >>>>>>> webapp using that overlay template and I successfully logged into the >>>>>>> management app using the ldap authentication I setup. Now I'm trying >>>>>>> to >>>>>>> setup a service provider for OpenID/OAuth2 and I keep getting an error >>>>>>> page >>>>>>> with my test application that says "Application Not Authorized to use >>>>>>> CAS" >>>>>>> instead of redirecting to the login page. I've used this test client >>>>>>> with >>>>>>> other servers and it seems to work. I enabled debugging and looking >>>>>>> through the code it looks it found my provider I defined but then it >>>>>>> fails >>>>>>> at OAuth20AuthorizeController.isRequestAuthenticated() returns false. >>>>>>> The >>>>>>> method isRequestAuthenticated() seems to look for a profile in the >>>>>>> session >>>>>>> which isn't there. Is there something I'm missing? Below is the >>>>>>> portion >>>>>>> of the log. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> 2016-12-12 13:09:40,226 DEBUG >>>>>>> [org.apereo.cas.support.oauth.validator.OAuthValidator] - <client_id: >>>>>>> fb3s86QV9QKl> >>>>>>> >>>>>>> 2016-12-12 13:09:40,227 DEBUG >>>>>>> [org.apereo.cas.support.oauth.validator.OAuthValidator] - >>>>>>> <redirect_uri: >>>>>>> http://localhost:8080/oauth_client> >>>>>>> >>>>>>> 2016-12-12 13:09:40,227 DEBUG >>>>>>> [org.apereo.cas.support.oauth.validator.OAuthValidator] - >>>>>>> <response_type: >>>>>>> code> >>>>>>> >>>>>>> 2016-12-12 13:09:40,227 DEBUG >>>>>>> [org.apereo.cas.support.oauth.web.OAuth20AuthorizeController] - >>>>>>> <Response >>>>>>> type: code> >>>>>>> >>>>>>> 2016-12-12 13:09:40,228 DEBUG >>>>>>> [org.apereo.cas.support.oauth.validator.OAuthValidator] - <Check >>>>>>> registered >>>>>>> service: >>>>>>> org.apereo.cas.services.OidcRegisteredService@66d09fb6[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@2027a3cc[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseProxyGrantingTicket=false],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@f9e67c0[enabled=true,ssoEnabled=true,requireAllAttributes=false,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=<null>,proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@2e202d9f,logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@6dd174aa[multifactorAuthenticationProviders=[],failureMode=CLOSED,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,clientId=fb3s86QV9QKl,approvalPrompt=false,generateRefreshToken=false,jsonFormat=false,jwks=<null>,signIdToken=false >>>>>>> ]> >>>>>>> >>>>>>> 2016-12-12 13:09:40,228 DEBUG >>>>>>> [org.apereo.cas.support.oauth.validator.OAuthValidator] - <Found: >>>>>>> org.apereo.cas.services.OidcRegisteredService@66d09fb6[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@2027a3cc[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseProxyGrantingTicket=false],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@f9e67c0[enabled=true,ssoEnabled=true,requireAllAttributes=false,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=<null>,proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@2e202d9f,logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@6dd174aa[multifactorAuthenticationProviders=[],failureMode=CLOSED,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,clientId=fb3s86QV9QKl,approvalPrompt=false,generateRefreshToken=false,jsonFormat=false,jwks=<null>,signIdToken=false] >>>>>>> >>>>>>> vs redirectUri: http://localhost:8080/oauth_client> >>>>>>> >>>>>>> 2016-12-12 13:09:40,228 ERROR >>>>>>> [org.apereo.cas.support.oauth.web.OAuth20AuthorizeController] - >>>>>>> <Authorize >>>>>>> request verification fails> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Thanks in advance for any help. >>>>>>> >>>>>>> -- >>>>>>> - CAS gitter chatroom: https://gitter.im/apereo/cas >>>>>>> - CAS mailing list guidelines: >>>>>>> https://apereo.github.io/cas/Mailing-Lists.html >>>>>>> - CAS documentation website: https://apereo.github.io/cas >>>>>>> - CAS project website: https://github.com/apereo/cas >>>>>>> --- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "CAS Community" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> To view this discussion on the web visit >>>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/3ed93ca6-db04-4734-a86a-4d6938f4576f%40apereo.org >>>>>>> >>>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/3ed93ca6-db04-4734-a86a-4d6938f4576f%40apereo.org?utm_medium=email&utm_source=footer> >>>>>>> . >>>>>>> >>>>>>> -- >>>>>>> - CAS gitter chatroom: https://gitter.im/apereo/cas >>>>>>> - CAS mailing list guidelines: >>>>>>> https://apereo.github.io/cas/Mailing-Lists.html >>>>>>> - CAS documentation website: https://apereo.github.io/cas >>>>>>> - CAS project website: https://github.com/apereo/cas >>>>>>> --- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "CAS Community" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> To view this discussion on the web visit >>>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/026601d2557d%24488f0090%24d9ad01b0%24%40unicon.net >>>>>>> >>>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/026601d2557d%24488f0090%24d9ad01b0%24%40unicon.net?utm_medium=email&utm_source=footer> >>>>>>> . >>>>>>> >>>>>> >>>>>> -- >>>>> - CAS gitter chatroom: https://gitter.im/apereo/cas >>>>> - CAS mailing list guidelines: >>>>> https://apereo.github.io/cas/Mailing-Lists.html >>>>> - CAS documentation website: https://apereo.github.io/cas >>>>> - CAS project website: https://github.com/apereo/cas >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "CAS Community" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/78773adf-f671-4347-8b1e-e36aa8ffe78d%40apereo.org >>>>> >>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/78773adf-f671-4347-8b1e-e36aa8ffe78d%40apereo.org?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> >>>> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "CAS Community" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/a/apereo.org/d/topic/cas-user/Mwa_8ePd7Kc/unsubscribe >> . >> To unsubscribe from this group and all its topics, send an email to >> [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b4313f21-604b-4b1f-a81a-98fa42e5f7dd%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b4313f21-604b-4b1f-a81a-98fa42e5f7dd%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/32eae0c6-da0c-4c83-bdc7-e36a987ae184%40apereo.org.
