Thank you Robert, that was the problem! Thank you, Matt
On Wednesday, July 31, 2024 at 9:17:00 AM UTC-4 King, Robert wrote: > Not sure if this is the issue, but your cas config should be: > > > > # > > # > https://apereo.github.io/cas/7.0.x/installation/Configuring-Servlet-Container-Embedded-Tomcat.html > > # > > server.servlet.context-path=/cas > server.port=8200 > server.ssl.enabled=false > > server.tomcat.basedir=/tmp/casbase > > server.tomcat.remoteip.host-header=X-Forwarded-Host > > > > # > > # > https://apereo.github.io/cas/7.0.x/installation/Servlet-Container-Embedded-Tomcat-Proxying.html > > # > > cas.server.tomcat.http-proxy.enabled=true > > cas.server.tomcat.http-proxy.secure=true > > cas.server.tomcat.http-proxy.scheme=https > > cas.server.tomcat.http-proxy.proxy-port=443 > > cas.server.tomcat.http-proxy.redirect-port=443 > > cas.server.tomcat.http-proxy.protocol=HTTP/1.1 > > # not sure if this is valid > > # cas.server.tomcat.http-proxy.attributes.proxyName=[removed] > > > > # > > # > https://apereo.github.io/cas/7.0.x/installation/Servlet-Container-Embedded-Tomcat-AJP.html > > # > > cas.server.tomcat.ajp.enabled=false > > > > > > > > > > > > *From:* 'Matthew Gordon' via CAS Community <cas-...@apereo.org> > *Sent:* Wednesday, July 31, 2024 9:29 AM > *To:* CAS Community <cas-...@apereo.org> > *Subject:* [EXTERNAL SENDER] [cas-user] cas/oidc/.well-known endpoint not > working in 7.x > > > > Hello, > > > > I have been working on deploying CAS 7.0.6, with OIDC support: > https://apereo.github.io/cas/development/protocol/OIDC-Protocol.html > > > > With the overlay method and these dependencies: > core-events-configuration,support-ldap,support-git-service-registry,support-gauth,support-saml,support-saml-idp,support-oauth-webflow,support-oidc,support-redis-ticket-registry,support-surrogate-webflow,support-surrogate-authentication-rest,support-interrupt-webflow,support-throttle,support-trusted-mfa-redis > > > > I added support-oauth-webflow even though I did not need it in 6.x, just > in case. > > > > Everything appears to build and run correctly with embedded tomcat, except > for OIDC. > > > > I am unable to access: > > cas/oidc/.well-known > > or > > cas/oidc/jwks > > > > I get this when accessing the jwks endpoint: > > > > 2024-07-31 07:53:41,251 DEBUG > [org.springframework.security.web.FilterChainProxy] - <Securing GET > /oidc/jwks> > 2024-07-31 07:53:41,252 DEBUG > [org.springframework.security.web.FilterChainProxy] - <Secured GET > /oidc/jwks> > 2024-07-31 07:53:41,252 DEBUG > [org.springframework.web.servlet.DispatcherServlet] - <GET > "/cas/oidc/jwks", parameters={}> > 2024-07-31 07:53:41,252 DEBUG > [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping] > > - <Mapped to > org.apereo.cas.oidc.web.controllers.jwks.OidcJwksEndpointController#handleRequestInternal(HttpServletRequest, > > HttpServletResponse, String)> > 2024-07-31 07:53:41,254 DEBUG > [org.springframework.web.servlet.mvc.method.annotation.HttpEntityMethodProcessor] > > - <Using 'application/json;q=0.8', given [text/html, application/xhtml+xml, > image/avif, image/webp, image/png, image/svg+xml, application/xml;q=0.9, > */*;q=0.8] and supported [application/json]> > 2024-07-31 07:53:41,254 DEBUG > [org.springframework.web.servlet.mvc.method.annotation.HttpEntityMethodProcessor] > > - <Writing [{error=invalid_request, error_description=Invalid issuer}]> > 2024-07-31 07:53:41,255 DEBUG > [org.springframework.web.servlet.DispatcherServlet] - <Completed 400 > BAD_REQUEST> > 2024-07-31 07:53:41,255 DEBUG > [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] > > - <Set SecurityContextHolder to anonymous SecurityContext> > > > > and this for .well-known > > 2024-07-31 07:54:38,421 DEBUG > [org.springframework.security.web.FilterChainProxy] - <Securing GET > /oidc/.well-known> > 2024-07-31 07:54:38,422 DEBUG > [org.springframework.security.web.FilterChainProxy] - <Secured GET > /oidc/.well-known> > 2024-07-31 07:54:38,422 DEBUG > [org.springframework.web.servlet.DispatcherServlet] - <GET > "/cas/oidc/.well-known", parameters={}> > 2024-07-31 07:54:38,422 DEBUG > [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping] > > - <Mapped to > org.apereo.cas.oidc.web.controllers.discovery.OidcWellKnownEndpointController#getWellKnownDiscoveryConfiguration(HttpServletRequest, > > HttpServletResponse)> > 2024-07-31 07:54:38,424 WARN > [org.apereo.cas.oidc.web.controllers.discovery.OidcWellKnownEndpointController] > > - <Unable to accept request; issuer for endpoint [.well-known] is invalid> > 2024-07-31 07:54:38,424 DEBUG > [org.springframework.web.servlet.mvc.method.annotation.HttpEntityMethodProcessor] > > - <Using 'application/json;q=0.8', given [text/html, application/xhtml+xml, > image/avif, image/webp, image/png, image/svg+xml, application/xml;q=0.9, > */*;q=0.8] and supported [application/json]> > 2024-07-31 07:54:38,424 DEBUG > [org.springframework.web.servlet.mvc.method.annotation.HttpEntityMethodProcessor] > > - <Nothing to write: null body> > 2024-07-31 07:54:38,425 DEBUG > [org.springframework.web.servlet.DispatcherServlet] - <Completed 404 > NOT_FOUND> > 2024-07-31 07:54:38,425 DEBUG > [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] > > - <Set SecurityContextHolder to anonymous SecurityContext> > > > > I am new to using the embedded tomcat and noticed I get "Non-secure > Connection" warnings on the login page despite having the following config > settings: > > > > server.servlet.context-path=/cas > server.port=8200 > server.ssl.enabled=false > server.tomcat.basedir=/tmp/casbase > server.tomcat.remoteip.host-header=X-Forwarded-Host > server.tomcat.http-proxy.enabled=true > server.tomcat.http-proxy.secure=true > server.tomcat.http-proxy.scheme=https > server.tomcat.http-proxy.proxy-port=443 > server.tomcat.http-proxy.redirect-port=443 > server.tomcat.http-proxy.protocol=HTTP/1.1 > server.tomcat.http-proxy.attributes.proxyName=[removed] > server.tomcat.ajp.enabled=false > > > > The app is behind a proxy that handles SSL termination. I only mention > this in case the issuer doesn't match because it thinks it's HTTP vs. HTTPS. > > > > Any ideas? > > > > Thank you, > > Matt > > -- > - Website: https://apereo.github.io/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+u...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ba09cb5-eb4e-4c29-bc98-3ce813ae5d4cn%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ba09cb5-eb4e-4c29-bc98-3ce813ae5d4cn%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/fc83fde2-513a-4832-9a30-f96b7b59e484n%40apereo.org.
