Let us try this again. Cas does not need to know about appserver.my.domain; only HAProxy needs this. cas.server.scope=public.my.domain cas.server.name=https://${cas.server.scope} cas.server.prefix=${cas.server.name}/cas cas.authn.oidc.core.issuer=${cas.server.prefix}/oidc
Are you missing this config item (if missing, it should not be related to this problem): cas.authn.oauth.access-token.crypto.signing.key Your title says cas 7 but your log says 6.6. Could there be a library conflict? Ray On Wed, 2024-01-17 at 11:10 +0100, spfma.tech via CAS Community wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hi, I am trying to setup OIDC module, and I experience some problems. My CAS server (let's name it "appserver.my.domain") is running on port 8080, with HAProxy exposing public URLs (let's name it "public.my.domain"). So after rebuilding the webapp including "org.apereo.cas:cas-server-support-oidc", I have added the following lines to my working "cas.properties" : cas.authn.oauth.crypto.encryption.key=0ZJCKvFSVO6PUKlzUqWzE5eXDerK_T7G1oSfGHfaAGM cas.authn.oauth.crypto.signing.key=_d6j3pacsAy_V7WP55RB-H0HtwfSawKav6aV8rUPuRPBDqDhAeJXpqjrtZwqTiUPkNOz2jcb5nLqJJ73ygqROw cas.authn.oauth.access-token.crypto.encryption.key=8wK97XDbYzeDhSzZgfcFWp3SHW_Lr-h69cGtWYZjJz0 cas.authn.oidc.core.issuer=https://public.my.domain/cas/oidc cas.authn.oidc.core.accepted-issuers-pattern=http:\/\/.* The last line is the only syntax I have found accepting both "https://public.my.domain/cas/oidc"; and "http://appserver.my.domain:8080/cas/oidc"; as valid issuers, otherwise requests are denied. Is it Ok ? Then I have then added a basic servcice : { "@class" : "org.apereo.cas.services.OidcRegisteredService", "scopes" : [ "java.util.HashSet", [ "profile", "openid", "email" ] ], "clientId": "client", "clientSecret": "secret", "serviceId" : "http://localhost:8080/(.*)", "name" : "test", "id" : 2, "idTokenIssuer": "https://public.my.domain/cas/oidc"; } It seems to be working : 2024-01-17 11:04:01,722 DEBUG [org.apereo.cas.services.resource.AbstractResourceBasedServiceRegistry] - <Attempting to read and parse [/etc/cas/services/002_OIDC.json]> 2024-01-17 11:04:01,722 DEBUG [org.apereo.cas.services.resource.AbstractResourceBasedServiceRegistry] - <Attempting to read and parse [/etc/cas/services/002_OIDC.json]> 2024-01-17 11:04:01,722 DEBUG [org.apereo.cas.oidc.services.OidcServiceRegistryListener] - <Scope [openid] is found for service [2]> 2024-01-17 11:04:01,722 DEBUG [org.apereo.cas.oidc.services.OidcServiceRegistryListener] - <Mapped [email] to attribute release policy [OidcEmailScopeAttributeReleasePolicy]> 2024-01-17 11:04:01,722 DEBUG [org.apereo.cas.oidc.services.OidcServiceRegistryListener] - <Mapped [profile] to attribute release policy [OidcProfileScopeAttributeReleasePolicy]> The RP is a Docker image I have found here : https://hub.docker.com/r/leplusorg/openid-connect-provider-debugger When I try to reach the app's main URL (http://localhost:8080/), I am redirected to CAS but I get the follwing exception : "java.lang.IllegalArgumentException: Unable to locate authentication profile" And on server side : 2024-01-17 11:03:48,217 DEBUG [org.springframework.security.web.FilterChainProxy] - <Securing GET /oidc/oidcAuthorize?nonce=cddf2055bdb501ea76a4d95d9a58d2ba&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&scope=openid%20email%20profile&client_id=client&state=813b1409ca966667f5f820e6923ff284> 2024-01-17 11:03:48,217 DEBUG [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping] - <Mapped to org.apereo.cas.oidc.web.controllers.authorize.OidcAuthorizeEndpointController#handleRequest(HttpServletRequest, HttpServletResponse)> 2024-01-17 11:03:48,218 DEBUG [org.springframework.security.web.FilterChainProxy] - <Secured GET /oidc/oidcAuthorize?nonce=cddf2055bdb501ea76a4d95d9a58d2ba&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&scope=openid%20email%20profile&client_id=client&state=813b1409ca966667f5f820e6923ff284> 2024-01-17 11:03:48,218 DEBUG [org.springframework.web.servlet.DispatcherServlet] - <GET "/cas/oidc/oidcAuthorize?nonce=cddf2055bdb501ea76a4d95d9a58d2ba&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&scope=openid%20email%20profile&client_id=client&state=813b1409ca966667f5f820e6923ff284", parameters={masked}> 2024-01-17 11:03:48,218 DEBUG [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping] - <Mapped to org.apereo.cas.oidc.web.controllers.authorize.OidcAuthorizeEndpointController#handleRequest(HttpServletRequest, HttpServletResponse)> 2024-01-17 11:03:48,220 DEBUG [org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the received exception [java.lang.IllegalArgumentException: Unable to locate authentication profile] due to a type mismatch with handler [org.apereo.cas.oidc.web.controllers.authorize.OidcAuthorizeEndpointController#handleRequest(HttpServletRequest, HttpServletResponse)]> 2024-01-17 11:03:48,220 DEBUG [org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the received exception [java.lang.IllegalArgumentException: Unable to locate authentication profile] due to a type mismatch with handler [org.apereo.cas.oidc.web.controllers.authorize.OidcAuthorizeEndpointController#handleRequest(HttpServletRequest, HttpServletResponse)]> at org.apereo.cas.oidc.web.controllers.authorize.OidcAuthorizeEndpointController.handleRequest(OidcAuthorizeEndpointController.java:58) ~[cas-server-support-oidc-core-api-6.6.10.jar!/:6.6.10] Can someone tell me what this error clearly means ? I had a look at the source code, but found nothing obvious. Is there something wrong or missing with the configuration above ? Thanks for any kind of help Regards ________________________________ FreeMail powered by mail.fr<https://mail.fr> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/244783efe92186373375108899f1983d6a3c9235.camel%40uvic.ca.
