When using my overlay, which includes pac4j, renew=true doesn't seem to work -- it seems to happily issue a service ticket without bothering to ask for credentials if there's an existing single sign-on session, regardless of whether the initial authentication uses pac4j or not. When I remove pac4j, the renew=true parameter prompts for credentials as it should.
An afternoon of debugging leads me to think that this is caused by the clientAction state returning a 'warn' event -- which short-circuits the 'renewRequestCheck' state and goes directly to redirect. While the renew parameter is checked somewhere in there, it doesn't look like anything is done with it before CAS issues a service ticket and goes on its merry way. This seems wrong to me. It looks like this behavior is a result of this commit: https://github.com/apereo/cas/commit/5d09f70fb11a285077c37acf983aa453ae0151a1#diff-feb7a03ec8693c969832dbd91fb39400R155 A couple of questions: - Why does DelegatedClientAuthenticationAction call super.doExecute() at all when there is no clientName parameter and/or no credentials in the request? Shouldn't it just return an error() to go back to the main authentication flow, as it would if there is no TGT present? Why is the single sign-on case different? - Assuming that we want to continue onward with trying to grant a service ticket in the clientAction when there's a TGT, what's the right way to prevent a service ticket to be issued when renew=true is present? Would we want it to show up as an authN failure (which I assume would trigger a credential challenge), or some other event? - As an immediate workaround for my overlay, would changing the webflow to transition to 'renewRequestCheck' on a 'warn' from the clientAction be safe? Thanks, Rich -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMYXOV-L48vMKGnkT2PP3twz9n_G84Q_dV0BrAMGe6gMxmgQXw%40mail.gmail.com.
