Hi, The behavior is the following: after the callback has been performed, the originally requested URL (generally */oidc/authorize*) is called.
If the originally requested URL cannot be found in the OIDC session, the redirect URI is called instead. I guess this is what happens here. Generally, the OIDC session is held by the DISSESSIONOauthOidcServerSupport cookie. You should check it: is it defined on the right path? does it change during the login process (which should not happen)? ... Thanks. Best regards, Jérôme Le lun. 10 mars 2025 à 22:57, 'John Wagenleitner' via CAS Community < cas-user@apereo.org> a écrit : > We are also experiencing this same problem when moving from CAS v7.0.10 to > v7.1.5. In v7.1.5, after completing the login it goes to > `/oauth2.0/callbackAuthorize` and from there a 302 redirect to the service > (redirect_uri) is made with no query parameters. > > In v7.0.10 where it is working, after `/oauth2.0/callbackAuthorize` > there's an additional redirect to `/oidc/authorize` before the final > redirect back to the service (redirect_uri) which includes the needed query > parameters. > > On Tuesday, February 4, 2025 at 4:44:19 AM UTC-8 Karel Alvarez wrote: > >> Hi, >> I am having the same problem, did you get a solution? >> thanks! >> >> On Monday, November 25, 2024 at 3:12:42 PM UTC+2 Pierre Driutti wrote: >> >>> Hello Ray, >>> >>> I thank you for your reply. As a matter of fact, I also have a GET >>> request done to oidcAuthorize before I authenticate through the POST login >>> request... >>> >>> The issue I described occurs after the login is made, while the grants >>> are checked on the CAS side. All grants are OK, I just don't have any >>> parameter sent together with the redirect_uri... >>> >>> Thanks in advance >>> >>> Best regards, >>> Pierre >>> Le ven. 22 nov. 2024 à 19:28, Ray Bon <rb...@uvic.ca> a écrit : >>> >>>> Pierre, >>>> >>>> The redirect_uri in your POST is double encoded; not sure if this >>>> matters. >>>> >>>> My test client (using pac4j) sends this GET: >>>> >>>> https://local.uvic.ca/cas/oidc/oidcAuthorize?scope=openid+profile+email+eduPersonScope+uvicEduPersonScope&response_type=code&redirect_uri=https%3A%2F%2Fdemocasclientlocal.uvic.ca%2Fdemocasclient%2Fcallback%3Fclient_name%3DOidcClient&state=e4907347ec&code_challenge_method=S256&nonce=ZzgzCKo68-yeB0ZPVSYEBKWCmtnQCJp2Hb0-MAvuElI&client_id=tZzif5NfwfBS9enpN0nqXceBSdcYgxw3fw3w&code_challenge=by0F5GcJkfgLd-BjCo9RavOOrqJYNJ3qFS05hjlgb6s >>>> >>>> My only POST is the login form submission. >>>> >>>> Ray >>>> >>>> >>>> On Fri, 2024-11-22 at 05:13 -0800, Pierre Driutti wrote: >>>> >>>> You don't often get email from pierre...@gmail.com. Learn why this is >>>> important <https://aka.ms/LearnAboutSenderIdentification> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> Hello, >>>> >>>> >>>> >>>> I am using a test CAS 7.1.1 server running inside docker, using the >>>> below settings: >>>> >>>> >>>> >>>> *info*: >>>> >>>> * description*: CAS Configuration >>>> >>>> >>>> >>>> *cas*: >>>> >>>> *service-registry*: >>>> >>>> * core*: >>>> >>>> * init-from-json*:* true* >>>> >>>> *json*: >>>> >>>> * location*: file:/etc/cas/services >>>> >>>> >>>> >>>> *http-web-request*: >>>> >>>> * cors*: >>>> >>>> * enabled*:* false* >>>> >>>> * server*: >>>> >>>> * name*:*http://cas:cas_port <http://cas:cas_port>* >>>> >>>> * prefix*:*http://cas:cas_port/cas <http://cas:cas_port/cas>* >>>> >>>> * authn*: >>>> >>>> * accept*: >>>> >>>> * enabled*:* false* >>>> >>>> * authentication-attribute-release*: >>>> >>>> * enabled*:* true* >>>> >>>> * attribute-repository*: >>>> >>>> * ldap[0]*: >>>> >>>> * bind-dn*: cn=rouser,dc=atih,dc=sante,dc=fr >>>> >>>> * bind-credential*: ldap_rouser_password >>>> >>>> *base-dn*: ou=agents,dc=atih,dc=sante,dc=fr >>>> >>>> *search-filter*: uid={user} >>>> >>>> * ldap-url*:*ldap://openldap:ldap_port* >>>> >>>> * allow-multiple-entries*:* true* >>>> >>>> *ldap[0]*: >>>> >>>> * bind-dn*: cn=admin,dc=atih,dc=sante,dc=fr >>>> >>>> * bind-credential*: ldap_admin_password >>>> >>>> *base-dn*: ou=agents,dc=atih,dc=sante,dc=fr >>>> >>>> *search-filter*: uid={user} >>>> >>>> * password-encoder*: >>>> >>>> * type*: NONE >>>> >>>> * ldap-url*:*ldap://openldap:ldap_port* >>>> >>>> * use-start-tls*:* false* >>>> >>>> * type*: AUTHENTICATED >>>> >>>> * oauth*: >>>> >>>> * access-token*: >>>> >>>> * crypto*: >>>> >>>> * signing*: >>>> >>>> * key*: 8PdeTwu4j0thSopZgFvg-oa5GR8GBTzzcmiIMo7Vh0EmoVdWK5y >>>> Rw4U7bWyOFdI53CU0exVZQCtQlLwMWaJ_og >>>> >>>> * encryption*: >>>> >>>> * key*: JzJ51l362rOPDZLwhtRY3p0SJUUx5sf8ZEDAKDIkdeY >>>> >>>> * crypto*: >>>> >>>> * signing*: >>>> >>>> * key*: meT8P7qpaN6bH3Bq-MsbMYQEL0iwZirR-XE- >>>> WAJFJHWfFsEOWq57sOfeG5DJXkBIdjd5RfRT3jX6QCOAkrh99g >>>> >>>> * encryption*: >>>> >>>> * key*: R3i5XWWsA9WWFhLkkQFGaOprYeYt8FGTbiTmgQkkmxEv6wbN- >>>> 9YUjiPkM0Gezw_T377ORjM31JG0QNkLwXA8PQ >>>> >>>> * session-replication*: >>>> >>>> * cookie*: >>>> >>>> * crypto*: >>>> >>>> * signing*: >>>> >>>> * key*: 8C59Wtz_K_NKozYZ7G5fBZ83II0MBBI702ZmEqdO >>>> zXIPAI5B1MDUSVmm8w4YYzaBRjsGwG9fZBPWf-JS4yW_QQ >>>> >>>> * encryption*: >>>> >>>> * key*: 50kNxo6EKFQk9KOUAm0UXWhS-52Xtw_ >>>> yWatSRkBT3GVzvS5cCPr3VH9_TmyJu91isRTjc2fjEiAD0idV00CBLQ >>>> >>>> * oidc*: >>>> >>>> * core*: >>>> >>>> * issuer*:*http://cas:cas_port/cas/oidc >>>> <http://cas:cas_port/cas/oidc>* >>>> >>>> * discovery*: >>>> >>>> * grant-types-supported*: >>>> >>>> - authorization_code >>>> >>>> - "urn:ietf:params:oauth:grant-type:uma-ticket" >>>> >>>> - "urn:ietf:params:oauth:grant-type:token-exchange" >>>> >>>> - "urn:ietf:params:oauth:grant-type:device-code" >>>> >>>> - refresh_token >>>> >>>> * token-endpoint-auth-methods-supported*: client_secret_basic >>>> >>>> * introspection-supported-authentication-methods*: >>>> client_secret_basic >>>> >>>> * response-types-supported*: >>>> >>>> - code >>>> >>>> - token >>>> >>>> - id_token >>>> >>>> - id_token token >>>> >>>> - device_code >>>> >>>> * prompt-values-supported*: >>>> >>>> - none >>>> >>>> - login >>>> >>>> - consent >>>> >>>> >>>> >>>> * logout*: >>>> >>>> * followServiceRedirects*:* true* >>>> >>>> * redirectParameter*: service >>>> >>>> * confirmLogout*:* true* >>>> >>>> * slo*: >>>> >>>> * disabled*:* false* >>>> >>>> * monitor*: >>>> >>>> * endpoints*: >>>> >>>> * endpoint*: >>>> >>>> * defaults*: >>>> >>>> * access*: ANONYMOUS >>>> >>>> >>>> >>>> * ticket*: >>>> >>>> * st*: >>>> >>>> * time-to-kill-in-seconds*: PT3600S >>>> >>>> >>>> >>>> *server*: >>>> >>>> * port*: cas_port >>>> >>>> * ssl*: >>>> >>>> *enabled*:* false* >>>> >>>> * keyStore*: file:/etc/cas/thekeystore >>>> >>>> * keyStorePassword*: changeit >>>> >>>> * keyPassword*: changeit >>>> >>>> * servlet*: >>>> >>>> * context-path*: /cas >>>> >>>> # >>>> >>>> *logging*: >>>> >>>> * level*: >>>> >>>> * org.apereo.cas*: DEBUG >>>> >>>> * org.springframework*: INFO >>>> >>>> >>>> >>>> *management*: >>>> >>>> * endpoints*: >>>> >>>> * web*: >>>> >>>> * exposure*: >>>> >>>> * include*: "*" >>>> >>>> * enabled-by-default*:* true* >>>> >>>> * security*: >>>> >>>> *enabled*:* false* >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> I am trying to contact it using OIDC. As such, I’ve defined statically >>>> an OidcRegisteredService as follows: >>>> >>>> >>>> >>>> *{* >>>> >>>> "@class"*:*"org.apereo.cas.services.OidcRegisteredService"*,* >>>> >>>> "serviceId"*:*"^https?://oidc-client-demo.*"*,* >>>> >>>> "name"*:*"OIDC Client Example"*,* >>>> >>>> "id"*:*10*,* >>>> >>>> "evaluationOrder"*:*10*,* >>>> >>>> "clientId"*:*"demo-client"*,* >>>> >>>> "clientSecret"*:*"demo-client-secret"*,* >>>> >>>> "signIdToken"*:**false**,* >>>> >>>> "encryptIdToken"*:**false**,* >>>> >>>> "bypassApprovalPrompt"*:**false**,* >>>> >>>> "supportedGrantTypes"*:**[*"java.util.HashSet"*,**[* >>>> "authorization_code"*]**],* >>>> >>>> "supportedResponseTypes"*:**[*"java.util.HashSet"*,**[*"code"*]**],* >>>> >>>> "supportedPromptValues"*:**[*"java.util.HashSet"*,**[*"consent"*]**],* >>>> >>>> "scopes"*:**[*"java.util.HashSet"*,**[*"openid"*,*"profile"*,*"email" >>>> *,*"address"*,*"phone"*]**],* >>>> >>>> "attributeReleasePolicy"*:**{* >>>> >>>> "@class"*:*"org.apereo.cas.services. >>>> ReturnAllAttributeReleasePolicy" >>>> >>>> *}* >>>> >>>> *}* >>>> >>>> >>>> >>>> However, my oidc client fails to work with it. >>>> >>>> >>>> >>>> When it send an authentication request, I am prompted to enter >>>> credentials in a browser. Then, the following POST request is sent to my >>>> CAS server, >>>> >>>> >>>> >>>> POST /cas/login?service=http%3A%2F%2Fcas%3A8080%2Fcas%2Foauth2.0% >>>> 2FcallbackAuthorize%3Fclient_id%3Ddemo-client%26scope% >>>> 3Dopenid%2520profile%2520email%26redirect_uri% >>>> 3Dhttp%253A%252F%252Foidc-client-demo%252Fanything%252Fcallback%26re, >>>> >>>> >>>> >>>> The authentication is successful, but then I do not see any approval >>>> popup being displayed, nor can I see in network traces that when it reaches >>>> my setup redirect_uri any parameters are provided. >>>> >>>> >>>> [image: image.png] >>>> >>>> >>>> Thus, the process fails at this point… >>>> >>>> >>>> >>>> Would you know if I did something wrong while setting up my CAS server >>>> and service ? >>>> >>>> >>>> >>>> Of course, in the CAS logs, I cannot see any error message during the >>>> process of the request… >>>> >>>> >>>> >>>> Thanks in advance >>>> >>>> >>>> >>>> Best regards, >>>> >>>> >>>> Pierre >>>> >>>> >>>> -- >>>> - Website: https://apereo.github.io/cas >>>> - List Guidelines: https://goo.gl/1VRrw7 >>>> - Contributions: https://goo.gl/mh7qDG >>>> --- >>>> You received this message because you are subscribed to a topic in the >>>> Google Groups "CAS Community" group. >>>> To unsubscribe from this topic, visit >>>> https://groups.google.com/a/apereo.org/d/topic/cas-user/Ra1X88kvSwE/unsubscribe >>>> . >>>> To unsubscribe from this group and all its topics, send an email to >>>> cas-user+u...@apereo.org. >>>> To view this discussion visit >>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/425834a5514597cb3f844783661d967b24a660de.camel%40uvic.ca >>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/425834a5514597cb3f844783661d967b24a660de.camel%40uvic.ca?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- > - Website: https://apereo.github.io/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/819b60ab-636e-4713-8471-2b7e09b46a54n%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/819b60ab-636e-4713-8471-2b7e09b46a54n%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LzqTiozBKVSeBZ24gkiRfm%3DqLFXpXMYW29k2WN8bKVaSg%40mail.gmail.com.
