We use CAS as an OIDC Provider for our service. After upgrading from 6.0 to 6.2 we received reports from some of our users that they weren't able to login anymore but were presented an error page with a org.apereo.cas.ticket.InvalidTicketException. We found that the users reporting the problem use a bookmark of the CAS Login URL https://www.example.com/cas/login?service=https%3A%2F%2Fwww.example.com%2Fcas%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3D123%26redirect_uri%3Dhttps%253A%252F%252Fwww.example.com%252Fmyservice%252Flogin%252Foauth2%252Fcode%252Fcas-oidc%26response_type%3Dcode%26client_name%3DCasOAuthClient to reach our service. This causes the OAuth20CallbackAuthorizeEndpointController to redirect the request to the default value 'context.getFullRequestURL()' because the actual service URL was not previously stored by the SavedRequestHandler. Since context.getFullRequestURL() returns '/oauth2.0/callbackAuthorize' with the current Service Ticket as URL parameter, the redirect results in an InvalidTicketException because the Service Ticket was already consumed by the previous request. In CAS 6.0 bookmarking /cas/login worked for us because the default behavior was a redirect to '/' which is configured to redirect to our service on our side. I understand, that redirecting to '/' may not be generally useful behavior but the current default of 'context.getFullRequestURL()' seems worse, since it immediately fails. Wouldn't the 'cas.view.default-redirect-url' (if set) or 'cas/login' be better defaults?
-- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/dcb9ffeb-2024-4e0d-a824-d5bc8c657ab4n%40apereo.org.
