Not sure if this is the issue, but your cas config should be: # # https://apereo.github.io/cas/7.0.x/installation/Configuring-Servlet-Container-Embedded-Tomcat.html # server.servlet.context-path=/cas server.port=8200 server.ssl.enabled=false server.tomcat.basedir=/tmp/casbase server.tomcat.remoteip.host-header=X-Forwarded-Host
# # https://apereo.github.io/cas/7.0.x/installation/Servlet-Container-Embedded-Tomcat-Proxying.html # cas.server.tomcat.http-proxy.enabled=true cas.server.tomcat.http-proxy.secure=true cas.server.tomcat.http-proxy.scheme=https cas.server.tomcat.http-proxy.proxy-port=443 cas.server.tomcat.http-proxy.redirect-port=443 cas.server.tomcat.http-proxy.protocol=HTTP/1.1 # not sure if this is valid # cas.server.tomcat.http-proxy.attributes.proxyName=[removed] # # https://apereo.github.io/cas/7.0.x/installation/Servlet-Container-Embedded-Tomcat-AJP.html # cas.server.tomcat.ajp.enabled=false From: 'Matthew Gordon' via CAS Community <cas-user@apereo.org> Sent: Wednesday, July 31, 2024 9:29 AM To: CAS Community <cas-user@apereo.org> Subject: [EXTERNAL SENDER] [cas-user] cas/oidc/.well-known endpoint not working in 7.x Hello, I have been working on deploying CAS 7.0.6, with OIDC support: https://apereo.github.io/cas/development/protocol/OIDC-Protocol.html With the overlay method and these dependencies: core-events-configuration,support-ldap,support-git-service-registry,support-gauth,support-saml,support-saml-idp,support-oauth-webflow,support-oidc,support-redis-ticket-registry,support-surrogate-webflow,support-surrogate-authentication-rest,support-interrupt-webflow,support-throttle,support-trusted-mfa-redis I added support-oauth-webflow even though I did not need it in 6.x, just in case. Everything appears to build and run correctly with embedded tomcat, except for OIDC. I am unable to access: cas/oidc/.well-known or cas/oidc/jwks I get this when accessing the jwks endpoint: 2024-07-31 07:53:41,251 DEBUG [org.springframework.security.web.FilterChainProxy] - <Securing GET /oidc/jwks> 2024-07-31 07:53:41,252 DEBUG [org.springframework.security.web.FilterChainProxy] - <Secured GET /oidc/jwks> 2024-07-31 07:53:41,252 DEBUG [org.springframework.web.servlet.DispatcherServlet] - <GET "/cas/oidc/jwks", parameters={}> 2024-07-31 07:53:41,252 DEBUG [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping] - <Mapped to org.apereo.cas.oidc.web.controllers.jwks.OidcJwksEndpointController#handleRequestInternal(HttpServletRequest, HttpServletResponse, String)> 2024-07-31 07:53:41,254 DEBUG [org.springframework.web.servlet.mvc.method.annotation.HttpEntityMethodProcessor] - <Using 'application/json;q=0.8', given [text/html, application/xhtml+xml, image/avif, image/webp, image/png, image/svg+xml, application/xml;q=0.9, */*;q=0.8] and supported [application/json]> 2024-07-31 07:53:41,254 DEBUG [org.springframework.web.servlet.mvc.method.annotation.HttpEntityMethodProcessor] - <Writing [{error=invalid_request, error_description=Invalid issuer}]> 2024-07-31 07:53:41,255 DEBUG [org.springframework.web.servlet.DispatcherServlet] - <Completed 400 BAD_REQUEST> 2024-07-31 07:53:41,255 DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] - <Set SecurityContextHolder to anonymous SecurityContext> and this for .well-known 2024-07-31 07:54:38,421 DEBUG [org.springframework.security.web.FilterChainProxy] - <Securing GET /oidc/.well-known> 2024-07-31 07:54:38,422 DEBUG [org.springframework.security.web.FilterChainProxy] - <Secured GET /oidc/.well-known> 2024-07-31 07:54:38,422 DEBUG [org.springframework.web.servlet.DispatcherServlet] - <GET "/cas/oidc/.well-known", parameters={}> 2024-07-31 07:54:38,422 DEBUG [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping] - <Mapped to org.apereo.cas.oidc.web.controllers.discovery.OidcWellKnownEndpointController#getWellKnownDiscoveryConfiguration(HttpServletRequest, HttpServletResponse)> 2024-07-31 07:54:38,424 WARN [org.apereo.cas.oidc.web.controllers.discovery.OidcWellKnownEndpointController] - <Unable to accept request; issuer for endpoint [.well-known] is invalid> 2024-07-31 07:54:38,424 DEBUG [org.springframework.web.servlet.mvc.method.annotation.HttpEntityMethodProcessor] - <Using 'application/json;q=0.8', given [text/html, application/xhtml+xml, image/avif, image/webp, image/png, image/svg+xml, application/xml;q=0.9, */*;q=0.8] and supported [application/json]> 2024-07-31 07:54:38,424 DEBUG [org.springframework.web.servlet.mvc.method.annotation.HttpEntityMethodProcessor] - <Nothing to write: null body> 2024-07-31 07:54:38,425 DEBUG [org.springframework.web.servlet.DispatcherServlet] - <Completed 404 NOT_FOUND> 2024-07-31 07:54:38,425 DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] - <Set SecurityContextHolder to anonymous SecurityContext> I am new to using the embedded tomcat and noticed I get "Non-secure Connection" warnings on the login page despite having the following config settings: server.servlet.context-path=/cas server.port=8200 server.ssl.enabled=false server.tomcat.basedir=/tmp/casbase server.tomcat.remoteip.host-header=X-Forwarded-Host server.tomcat.http-proxy.enabled=true server.tomcat.http-proxy.secure=true server.tomcat.http-proxy.scheme=https server.tomcat.http-proxy.proxy-port=443 server.tomcat.http-proxy.redirect-port=443 server.tomcat.http-proxy.protocol=HTTP/1.1 server.tomcat.http-proxy.attributes.proxyName=[removed] server.tomcat.ajp.enabled=false The app is behind a proxy that handles SSL termination. I only mention this in case the issuer doesn't match because it thinks it's HTTP vs. HTTPS. Any ideas? Thank you, Matt -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ba09cb5-eb4e-4c29-bc98-3ce813ae5d4cn%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ba09cb5-eb4e-4c29-bc98-3ce813ae5d4cn%40apereo.org?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/DS7PR17MB67301750633D7900C9B39C2BB4B12%40DS7PR17MB6730.namprd17.prod.outlook.com.
