Edit: *"serviceId" : "http://localhost:3000(.*) <http://localhost%3A3000(.*)>",*
On Tuesday, May 16, 2023 at 6:55:04 AM UTC+3:30 Meysam Shirazi wrote: > Hi, > I followed the below configuration, and everything worked fine: > *CAS Version 6.6.x* > *cas.properties* > > > > > > *cas.authn.oauth.crypto.encryption.key=0ZJCKvFSVO6PUKlzUqWzE5eXDerK_T7G1oSfGHfaAGMcas.authn.oauth.crypto.signing.key=_d6j3pacsAy_V7WP55RB-H0HtwfSawKav6aV8rUPuRPBDqDhAeJXpqjrtZwqTiUPkNOz2jcb5nLqJJ73ygqROwcas.authn.oauth.access-token.crypto.encryption.key=8wK97XDbYzeDhSzZgfcFWp3SHW_Lr-h69cGtWYZjJz0cas.authn.oauth.access-token.crypto.signing.key=pqhKnchYuvHNze33lPJXZaxmaSLSQpKQS9PttqplwblZfgRnufcElzxfL52g8CClOJnp5OKZwxcBzQF69Tw_-Qcas.authn.oidc.core.issuer=https://oauth.iritco.ir/cas/oidc > > <https://oauth.iritco.ir/cas/oidc>cas.authn.oidc.jwks.file-system.jwks-file=file:///etc/cas/config/keystore.jwks* > > *Service definition:* > > > > > > > > > > > *{ "@class" : "org.apereo.cas.services.OidcRegisteredService", > "clientId": "clientid", "clientSecret": "clientSecret", "serviceId" : > "http://localhost:3000/(.*) <http://localhost:3000/(.*)>", "name" : > "OAuthService", "id" : 100001, "scopes" : [ "java.util.HashSet", [ > "profile", "openid" ] ], "idTokenIssuer": > "https://oauth.iritco.ir/cas/oidc <https://oauth.iritco.ir/cas/oidc>"}* > *Sample request:* > > *https://oauth.iritco.ir/cas/oidc/authorize?response_type=code&client_id=clientid&scope=openid&redirect_uri=https:%2F%2Flocalhost:3000* > > <https://oauth.iritco.ir/cas/oidc/authorize?response_type=code&client_id=clientid&scope=openid&redirect_uri=https:%2F%2Flocalhost:3000> > > I got the same error (Unable* to locate authentication profile*) when I > used *OAuthRegisteredService* instead of *OidcRegisteredService*, so it > was solely due to using *OidcRegisteredService* in the service definition. > I hope it can help you. > > On Wednesday, March 16, 2022 at 12:17:45 AM UTC+3:30 [email protected] > wrote: > >> Hi, >> >> I'm having the same problem with:* java.lang.IllegalArgumentException: >> Unable to locate authentication profile* >> >> *In cas properties: * >> >> cas.authn.oidc.core.issuer=*https://catalin-pc.local/cas/oidc >> <https://catalin-pc.local/cas/oidc>* >> >> *the json service registry (I have only this)* >> >> { >> "@class" : "org.apereo.cas.services.OidcRegisteredService", >> "clientId": "*client_id*", >> "clientSecret": "*client_secret*", >> "serviceId" : "*^(https?)://.**", >> "name" : "Oauth2OIDC", >> "id" : 103935657744184, >> "evaluationOrder" : 1, >> "attributeReleasePolicy" : { >> "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy" >> } >> } >> >> >> The client app/service is using spring boot (2.5.5) /spring security >> >> The application.yml (please ignore the formatting of the yml) >> >> debug: false >> spring: >> security: >> oauth2: >> client: >> registration: >> *cas*: >> client-id: *client_id* >> client-secret: *client_secret* >> authorization-grant-type: authorization_code >> client-authentication-method: client_secret_basic >> scope: openid, profile >> *github*: >> client-id: ........ >> client-secret: ..... >> provider: >> cas: >> issuer-uri: *https://catalin-pc.local/cas/oidc >> <https://catalin-pc.local/cas/oidc>* >> >> >> Spring security config below (simple as possible) >> >> @*Configuration* >> @*EnableWebSecurity* >> public class WebPortalSecurity extends *WebSecurityConfigurerAdapter *{ >> >> >> @Autowired >> private ClientRegistrationRepository clientRegistrationRepository; >> >> @Override >> public void configure(HttpSecurity http) throws Exception { >> >> *// I tried here to specify the CAS login page (here I'm getting that the >> service is not authorized to use CAS*) >> // http.authorizeRequests(authorizeRequests -> >> authorizeRequests.anyRequest().authenticated()) >> // .oauth2Login(oauth2-> oauth2.loginPage(" >> https://catalin-pc.local/cas/login?service=https://catalin-pc.local/web-portal >> ")); >> >> *// with this code will redirect me to as >> /oidc/oidcAuthorize?response_type=code and will endup in the profile not >> found error* -> debugging into the code I was seeing that this profile >> is somehow pac4j related??? (I also tried to integrate pac4j when doing the >> log in, but did not help) >> http.authorizeRequests(authorizeRequests -> authorizeRequests.anyRequest >> ().authenticated()).oauth2Login(); >> } >> } >> >> >> On CAS side I have a dumb implementation of: >> *AbstractUsernamePasswordAuthenticationHandler* >> >> @Override >> protected AuthenticationHandlerExecutionResult >> authenticateUsernamePasswordInternal(UsernamePasswordCredential upc, >> String s) throws GeneralSecurityException, PreventedException { >> final String username = upc.getUsername(); >> final String password = upc.getPassword(); >> >> final HashMap<String, List<Object>> attributes = new HashMap<>(); >> final ArrayList<Object> value = new ArrayList<>(); >> * //put some dummy attributes here* >> attributes.put("profile", value); >> value.add("oidc profile"); >> >> return createHandlerResult(upc, this.principalFactory >> .createPrincipal(username, attributes)); >> } >> >> >> >> this.context.getRequestAttribute("*pac4jUserProfiles*").ifPresent((requestAttribute) >> >> -> { >> profiles.putAll((Map)requestAttribute); >> }); >> here that attribute definitely is not present on my flow, hence ending up >> in the error... >> >> The profile will try to be returned like this: (this is pac4j related >> code). I tried to integrate a pac4j authentication like this: >> https://apereo.github.io/cas/development/authentication/Pac4j-Authentication.html#overview >> I'm only interested now in the happy flow, so that with that dumb >> authenticator, similar with my simplified one that does no checks >> >> Things to note: >> >> >> - I tried to minimize things so I removed any pages changes we had or >> other custom things to keep CAS as close to the overlay template that is >> being provided >> - I tried some 6.4.X versionsm, 6.5.1, and 6.6.0-RC1 (same issue), I >> wanted to try latest version of 6.3.X but there were some issues with >> java17 and spring version >> - From the above app/service spring security configuration, I'm able >> to do a login with github (the flow seems to be similar, it goes to that >> authorize, and if I'm not logged in in github, I'm seeing the github >> login >> page) >> - I can authenticate to *https://.../cas/login *-> with the code >> provided above, as well I'm seeing those attribute in the principal and >> I'm >> seeing the authentication >> - If I try to authenticate like this: >> *https://.../cas/login?service=https:// >> *then I'm getting *Application Not Authorized to Use CAS, *even >> though in the service registry I added a broader pattern to match the >> service id: *^(https?)://.** >> - If I try to access directly the app, then i get this: >> - .well-known works properly, >> - java.lang.IllegalArgumentException: *Unable to locate >> authentication profile* at >> >> org.apereo.cas.support.oauth.web.endpoints.OAuth20AuthorizeEndpointController.lambda$redirectToCallbackRedirectUrl$0(OAuth20AuthorizeEndpointController.java:170) >> >> >> Any hints on what I might be doing wrong are highly appreciated >> >> Thanks, >> C >> >> On Tuesday, January 11, 2022 at 10:57:13 AM UTC+2 Frédéric Lohier wrote: >> >>> Hello, >>> >>> I haven't had any issue with the .well-known URL in CAS 6.3.x and CAS >>> 6.4.x. Have you set all the other relevant OIDC settings? (claims, scopes, >>> keys, etc. ?). >>> >>> -Frederic >>> >>> On Tue, Jan 11, 2022 at 9:26 AM Guillaume EGRON <[email protected]> >>> wrote: >>> >>>> We did not run any tests on the 6.4.x branch since my original post, we >>>> choose to stay with 6.3.x >>>> I've just build a new 6.4.4.2 CAS overlay template but still facing the >>>> issue. >>>> I take a look back at the OpenID Connect documentation >>>> https://apereo.github.io/cas/6.4.x/authentication/OIDC-Authentication.html#configuration, >>>> >>>> fix the property cas.authn.oidc.core.issuer (according to the >>>> documentation, there was an unecessary trailing slash in my previous >>>> configuration). The property looks like this now : >>>> >>>> cas.authn.oidc.core.issuer=${cas.server.name}/cas/oidc >>>> >>>> But, that does not fix the issue >>>> >>>> https://localhost:8443/cas/oidc/.well-known still redirects to a 404 >>>> error page >>>> Le mardi 11 janvier 2022 à 05:29:21 UTC+1, Vaibhav Narula a écrit : >>>> >>>>> We are also seeing the same issue in 6.4.4.2 . Were you able to Solve >>>>> this issue ? >>>>> >>>>> On Wednesday, 25 August 2021 at 03:50:43 UTC-6 Guillaume EGRON wrote: >>>>> >>>>>> Hi, >>>>>> building a cas overlay using cas initializr >>>>>> >>>>>> {"version":"6.4.0","bootVersion":"2.5.4","sync":true,"branch":"6.4","type":"cas"} >>>>>> >>>>>> Added OIDC support and test it with the sample client application >>>>>> found in the documentation >>>>>> https://apereo.github.io/cas/6.4.x/authentication/OIDC-Authentication.html#sample-client-applications >>>>>> >>>>>> CAS is deployed inside Apache Tomcat external container. >>>>>> >>>>>> Configuration in cas.properties file : >>>>>> cas.server.name=https://<domain> >>>>>> cas.server.prefix=${cas.server.name}/cas >>>>>> cas.authn.oidc.core.issuer=${cas.server.prefix}/oidc/ >>>>>> >>>>>> https://<domain>/cas/oidc/.well-known redirects to a 404 error page >>>>>> >>>>>> Client app redirects to CAS login page successfully, after submitting >>>>>> login and password, CAS redirects to Application Not Authorized to Use >>>>>> CAS. >>>>>> In the log file, found this message >>>>>> : [org.apereo.cas.oidc.util.OidcRequestSupport] - <Issuer >>>>>> [https://<domain>/cas/oidc] defined in CAS configuration does not match >>>>>> the >>>>>> request issuer [http://<domain>/cas/oidc/authorize]> >>>>>> >>>>>> Note that the request issuer in http (not https) and the ending >>>>>> /authorize endpoint >>>>>> >>>>>> Fix the cas.properties as follow >>>>>> cas.authn.oidc.core.issuer=http://<domain>/cas/oidc/authorize >>>>>> >>>>>> Restart CAS >>>>>> >>>>>> Client app redirects to CAS login page with error >>>>>> java.lang.IllegalArgumentException: Unable to locate authentication >>>>>> profile >>>>>> at >>>>>> org.apereo.cas.support.oauth.web.endpoints.OAuth20AuthorizeEndpointController.lambda$redirectToCallbackRedirectUrl$0(OAuth20AuthorizeEndpointController.java:164) >>>>>> at java.base/java.util.Optional.orElseThrow(Optional.java:408) >>>>>> at >>>>>> org.apereo.cas.support.oauth.web.endpoints.OAuth20AuthorizeEndpointController.redirectToCallbackRedirectUrl(OAuth20AuthorizeEndpointController.java:164) >>>>>> at >>>>>> org.apereo.cas.support.oauth.web.endpoints.OAuth20AuthorizeEndpointController.handleRequest(OAuth20AuthorizeEndpointController.java:87) >>>>>> at >>>>>> org.apereo.cas.oidc.web.controllers.authorize.OidcAuthorizeEndpointController.handleRequest(OidcAuthorizeEndpointController.java:49) >>>>>> >>>>>> Downgrade CAS to CAS 6.4.0-RC6 >>>>>> Configuration in cas.properties file : >>>>>> cas.server.name=https://<domain> >>>>>> cas.server.prefix=${cas.server.name}/cas >>>>>> cas.authn.oidc.core.issuer=${cas.server.prefix}/oidc/ >>>>>> >>>>>> https://<domain>/cas/oidc/.well-known redirect to a 404 error page >>>>>> >>>>>> Property cas.authn.oidc.core.issuer=${cas.server.prefix}/oidc/ leads >>>>>> to [org.apereo.cas.oidc.util.OidcRequestSupport] - <Issuer >>>>>> [https://<domain>/cas/oidc] defined in CAS configuration does not match >>>>>> the >>>>>> request issuer [http://<domain>/cas/oidc/authorize]> >>>>>> >>>>>> Fix the cas.properties as follow >>>>>> cas.authn.oidc.core.issuer=http://<domain>/cas/oidc/authorize >>>>>> >>>>>> Restart CAS >>>>>> >>>>>> Client app redirects to CAS login page successfully, after submitting >>>>>> login and password, CAS redirects to Claims authorizarion page. Submit it >>>>>> Browser redirect >>>>>> to >>>>>> https://<client_app_domain>:9443/simple-web-app/openid_connect_login?code=OC-x-xxxx&state=zzz&nonce=yy >>>>>> >>>>>> and display "HTTP ERROR 401 Authentication Failed: Unable to obtain >>>>>> Access >>>>>> Token: 404" >>>>>> >>>>>> Downgrade CAS to CAS 6.4.0-RC5 >>>>>> Configuration in cas.properties file : >>>>>> cas.server.name=https://<domain> >>>>>> cas.server.prefix=${cas.server.name}/cas >>>>>> cas.authn.oidc.core.issuer=${cas.server.prefix}/oidc/ >>>>>> >>>>>> https://<domain>/cas/oidc/.well-known redirect successfully >>>>>> >>>>>> Client app redirects to CAS login page successfully, after submitting >>>>>> login and password, CAS redirects to Claims authorizarion page. Submit it >>>>>> Client app displays ID Token and User Info >>>>>> >>>>>> Did I miss some configurations inside cas.properties starting from >>>>>> CAS 6.4.0 RC6 ? >>>>>> Or is there a bug here ? >>>>>> >>>>> -- >>>> - Website: https://apereo.github.io/cas >>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>> - List Guidelines: https://goo.gl/1VRrw7 >>>> - Contributions: https://goo.gl/mh7qDG >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "CAS Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/9b6bb625-0458-4ae3-8a61-4776af2a2a85n%40apereo.org >>>> >>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/9b6bb625-0458-4ae3-8a61-4776af2a2a85n%40apereo.org?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/659577cf-3b90-48b3-95fa-cf895a84566an%40apereo.org.
