Pierre, The redirect_uri in your POST is double encoded; not sure if this matters.
My test client (using pac4j) sends this GET: https://local.uvic.ca/cas/oidc/oidcAuthorize?scope=openid+profile+email+eduPersonScope+uvicEduPersonScope&response_type=code&redirect_uri=https%3A%2F%2Fdemocasclientlocal.uvic.ca%2Fdemocasclient%2Fcallback%3Fclient_name%3DOidcClient&state=e4907347ec&code_challenge_method=S256&nonce=ZzgzCKo68-yeB0ZPVSYEBKWCmtnQCJp2Hb0-MAvuElI&client_id=tZzif5NfwfBS9enpN0nqXceBSdcYgxw3fw3w&code_challenge=by0F5GcJkfgLd-BjCo9RavOOrqJYNJ3qFS05hjlgb6s My only POST is the login form submission. Ray On Fri, 2024-11-22 at 05:13 -0800, Pierre Driutti wrote: You don't often get email from pierred.a...@gmail.com. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Hello, I am using a test CAS 7.1.1 server running inside docker, using the below settings: info: description: CAS Configuration cas: service-registry: core: init-from-json: true json: location: file:/etc/cas/services http-web-request: cors: enabled: false server: name:http://cas:cas_port prefix:http://cas:cas_port/cas authn: accept: enabled: false authentication-attribute-release: enabled: true attribute-repository: ldap[0]: bind-dn: cn=rouser,dc=atih,dc=sante,dc=fr bind-credential: ldap_rouser_password base-dn: ou=agents,dc=atih,dc=sante,dc=fr search-filter: uid={user} ldap-url:ldap://openldap:ldap_port allow-multiple-entries: true ldap[0]: bind-dn: cn=admin,dc=atih,dc=sante,dc=fr bind-credential: ldap_admin_password base-dn: ou=agents,dc=atih,dc=sante,dc=fr search-filter: uid={user} password-encoder: type: NONE ldap-url:ldap://openldap:ldap_port use-start-tls: false type: AUTHENTICATED oauth: access-token: crypto: signing: key: 8PdeTwu4j0thSopZgFvg-oa5GR8GBTzzcmiIMo7Vh0EmoVdWK5yRw4U7bWyOFdI53CU0exVZQCtQlLwMWaJ_og encryption: key: JzJ51l362rOPDZLwhtRY3p0SJUUx5sf8ZEDAKDIkdeY crypto: signing: key: meT8P7qpaN6bH3Bq-MsbMYQEL0iwZirR-XE-WAJFJHWfFsEOWq57sOfeG5DJXkBIdjd5RfRT3jX6QCOAkrh99g encryption: key: R3i5XWWsA9WWFhLkkQFGaOprYeYt8FGTbiTmgQkkmxEv6wbN-9YUjiPkM0Gezw_T377ORjM31JG0QNkLwXA8PQ session-replication: cookie: crypto: signing: key: 8C59Wtz_K_NKozYZ7G5fBZ83II0MBBI702ZmEqdOzXIPAI5B1MDUSVmm8w4YYzaBRjsGwG9fZBPWf-JS4yW_QQ encryption: key: 50kNxo6EKFQk9KOUAm0UXWhS-52Xtw_yWatSRkBT3GVzvS5cCPr3VH9_TmyJu91isRTjc2fjEiAD0idV00CBLQ oidc: core: issuer:http://cas:cas_port/cas/oidc discovery: grant-types-supported: - authorization_code - "urn:ietf:params:oauth:grant-type:uma-ticket" - "urn:ietf:params:oauth:grant-type:token-exchange" - "urn:ietf:params:oauth:grant-type:device-code" - refresh_token token-endpoint-auth-methods-supported: client_secret_basic introspection-supported-authentication-methods: client_secret_basic response-types-supported: - code - token - id_token - id_token token - device_code prompt-values-supported: - none - login - consent logout: followServiceRedirects: true redirectParameter: service confirmLogout: true slo: disabled: false monitor: endpoints: endpoint: defaults: access: ANONYMOUS ticket: st: time-to-kill-in-seconds: PT3600S server: port: cas_port ssl: enabled: false keyStore: file:/etc/cas/thekeystore keyStorePassword: changeit keyPassword: changeit servlet: context-path: /cas # logging: level: org.apereo.cas: DEBUG org.springframework: INFO management: endpoints: web: exposure: include: "*" enabled-by-default: true security: enabled: false I am trying to contact it using OIDC. As such, I’ve defined statically an OidcRegisteredService as follows: { "@class":"org.apereo.cas.services.OidcRegisteredService", "serviceId":"^https?://oidc-client-demo.*", "name":"OIDC Client Example", "id":10, "evaluationOrder":10, "clientId":"demo-client", "clientSecret":"demo-client-secret", "signIdToken":false, "encryptIdToken":false, "bypassApprovalPrompt":false, "supportedGrantTypes":["java.util.HashSet",["authorization_code"]], "supportedResponseTypes":["java.util.HashSet",["code"]], "supportedPromptValues":["java.util.HashSet",["consent"]], "scopes":["java.util.HashSet",["openid","profile","email","address","phone"]], "attributeReleasePolicy":{ "@class":"org.apereo.cas.services.ReturnAllAttributeReleasePolicy" } } However, my oidc client fails to work with it. When it send an authentication request, I am prompted to enter credentials in a browser. Then, the following POST request is sent to my CAS server, POST /cas/login?service=http%3A%2F%2Fcas%3A8080%2Fcas%2Foauth2.0%2FcallbackAuthorize%3Fclient_id%3Ddemo-client%26scope%3Dopenid%2520profile%2520email%26redirect_uri%3Dhttp%253A%252F%252Foidc-client-demo%252Fanything%252Fcallback%26re, The authentication is successful, but then I do not see any approval popup being displayed, nor can I see in network traces that when it reaches my setup redirect_uri any parameters are provided. [image.png] Thus, the process fails at this point… Would you know if I did something wrong while setting up my CAS server and service ? Of course, in the CAS logs, I cannot see any error message during the process of the request… Thanks in advance Best regards, Pierre -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/425834a5514597cb3f844783661d967b24a660de.camel%40uvic.ca.
