I have a fix which is basically a backport of what the master branch does. I'll submit a PR tomorrow or Friday when I have the correct computer available.
Thanks, Rich On Tue, Apr 23, 2019 at 5:16 PM Rich Renomeron <[email protected]> wrote: > When using my overlay, which includes pac4j, renew=true doesn't seem to > work -- it seems to happily issue a service ticket without bothering to ask > for credentials if there's an existing single sign-on session, regardless > of whether the initial authentication uses pac4j or not. When I remove > pac4j, the renew=true parameter prompts for credentials as it should. > > An afternoon of debugging leads me to think that this is caused by the > clientAction state returning a 'warn' event -- which short-circuits the > 'renewRequestCheck' state and goes directly to redirect. While the renew > parameter is checked somewhere in there, it doesn't look like anything is > done with it before CAS issues a service ticket and goes on its merry way. > This seems wrong to me. > > It looks like this behavior is a result of this commit: > > https://github.com/apereo/cas/commit/5d09f70fb11a285077c37acf983aa453ae0151a1#diff-feb7a03ec8693c969832dbd91fb39400R155 > > A couple of questions: > > - Why does DelegatedClientAuthenticationAction call super.doExecute() > at all when there is no clientName parameter and/or no credentials in the > request? Shouldn't it just return an error() to go back to the main > authentication flow, as it would if there is no TGT present? Why is the > single sign-on case different? > - Assuming that we want to continue onward with trying to grant a > service ticket in the clientAction when there's a TGT, what's the right way > to prevent a service ticket to be issued when renew=true is present? Would > we want it to show up as an authN failure (which I assume would trigger a > credential challenge), or some other event? > - As an immediate workaround for my overlay, would changing the > webflow to transition to 'renewRequestCheck' on a 'warn' from the > clientAction be safe? > > Thanks, > Rich > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMYXOV9DirRA0BHJ3%3DKpsV6r2bbFVx_XYcg-BgK-iHR4euKodQ%40mail.gmail.com.
