*Summarizing the resolution for the benefit of others.* 1. CAS Issues several cookies that are marked as "*secure = true*" by default at the time of SET-COOKIE Directives from server. 2. The secure cookies are sent back to the server - only when there is SSL connection. 3. I was trying to run cas without any SSL. So the server - was setting the cookies, however at the time of redirect - the secure cookie was not being sent. This made server assume that cookie didn't exist and redirected it back to authentication. This was what was leading to infinite loop during the CAS OIDC integration [you authenticate and then get back to login screen again]. 4. The issue was resolved - when we shifted back to *HTTPS Connection by implementing the SSL on CAS Server. *
*Hopefully - this helps someone else.* On Thursday, 12 November 2020 at 19:27:04 UTC+5:30 Ritesh Tripathi wrote: > > Folks > > I am new to CAS and is trying to setup the CAS as OIDC provider for other > services. > > My limited understanding about CAS OIDC is as follows: > A. You make a call to required "server/cas/oidc/authorize" - with required > parameters. > B. The CAS redirects the requests to "server/cas/oauth2.0/callbackAuthorize" > end point. > C. You get the login page and upon successful authentication - a service > ticket for " /cas/oauth2.0/callbackAuthorize" is created for " > CasOAuthClient" > D. Once the service ticket has been validated by " > /cas/oauth2.0/callbackAuthorize" , an access ticket - of the format as > "OC-1-v0ukA6hDx1Wbv1jzyimIQFwL4EeMBPPX" is created for further process. > > My issue is as follows: > 1. After the successful service ticket validation for the CasOAuthClient- > rather than creation of access ticket - I am being redirected back to the > login page. > > The following are the lines - where i suspect the issue: > > 2020-11-12 11:11:33,632 DEBUG > [org.apereo.cas.support.oauth.web.OAuth20CasCallbackUrlResolver] - <Final > resolved callback URL is [ > http://server:8443/cas/oauth2.0/callbackAuthorize?client_id=apache_client&redirect_uri=http%3A%2F%2Fapache.server.com%2Fsecure%2Fredirect_uri&response_type=code > ]> > 2020-11-12 11:11:33,632 DEBUG > [org.apereo.cas.support.oauth.web.response.OAuth20DefaultCasClientRedirectActionBuilder] > > - <Final redirect url is [ > http://server:8443/cas/login?service=http%3A%2F%2Fleo.mytbits.com%3A8443%2Fcas%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3Dapache_client%26redirect_uri%3Dhttp%253A%252F%252Fapache.server.com%252Fsecure%252Fredirect_uri%26response_type%3Dcode%26client_name%3DCasOAuthClient > ]> > 2020-11-12 11:11:33,632 DEBUG > [org.apereo.cas.oidc.web.OidcCasClientRedirectActionBuilder] - <Final > redirect action is [Optional[#HttpAction# | code: 302 |]]> > 2020-11-12 11:11:33,872 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > > On my location machine - once we have done the service ticket validation - > i am getting the lines: > > ============================================================= > WHO: root > WHAT: ST-1-XsNPfqOVinN5BrMSXNvENcWuD08-DESKTOP-GLUMAQ0 for > http://localhost:8443/cas/oauth2.0/callbackAuthorize?client_id=client&redirect_uri=http%3A%2F%2Flocalhost%3A80%2Fsecure%2F. > .. > ACTION: SERVICE_TICKET_VALIDATE_SUCCESS > APPLICATION: CAS > WHEN: Thu Nov 12 16:30:02 IST 2020 > CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 > SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 > ============================================================= > > > > 2020-11-12 16:30:02,509 DEBUG [org.apereo.cas.util.HttpRequestUtils] - > <Found provided request parameter [client_id]> > 2020-11-12 16:30:02,509 DEBUG [org.apereo.cas.util.HttpRequestUtils] - > <Found provided request parameter [redirect_uri]> > 2020-11-12 16:30:02,509 DEBUG [org.apereo.cas.util.HttpRequestUtils] - > <Found provided request parameter [response_type]> > 2020-11-12 16:30:02,509 DEBUG > [org.apereo.cas.support.oauth.util.OAuth20Utils] - <Response type: [code]> > 2020-11-12 16:30:02,510 DEBUG > [org.apereo.cas.support.oauth.validator.authorization.OAuth20AuthorizationCodeResponseTypeAuthorizationRequestValidator] > > - <Locating registered service for client id [client]> > > And it proceeds with Access Token Creation. > > I am running the same cas .war file on server and on my location machine > and making the same GET Call to both. > > Really perplexed why in one case - [on server where i m not running as > localhost] I am stuck in endless loop of authentication. > > Any idea's are welcome especially from people who have successfully > implemented OIDC in CAS. > > Thank you in Advance. > > Ritesh > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/22f477de-d274-4a4a-a911-4868a6b91993n%40apereo.org.
