It is possible that the default length of keys has changed. Try generating new keys or set the key length. See https://apereo.github.io/cas/7.2.x/authentication/OAuth-Authentication.html
Ray ________________________________ From: spfma.tech via CAS Community <[email protected]> Sent: June 27, 2025 09:34 To: [email protected] <[email protected]> Subject: [cas-user] [7.2.3] OIDC problems Hi, I was using the following configuration with CAS 7.0.5.1 : ################# # OIDC / OAuth2 # ################# cas.authn.token.crypto.enabled=false cas.authn.token.crypto.encryption-enabled=false cas.authn.oauth.session-replication.cookie.crypto.signing.key=H7-MYjp5M2e9hq_DIhOdR73X1cfTaabRFowiLJI0LhC4Cbb4FVNDFV30yJn0i9q68QWS0y3f1OTfJ9nno_Hjuw cas.authn.oidc.core.issuer=${cas.server.prefix}/oidc cas.authn.oidc.core.accepted-issuers-pattern=.* cas.authn.oauth.crypto.encryption.key=0ZJCKvFSVO6PUKlzUqWzE5eXDerK_T7G1oSfGHfaAGM cas.authn.oauth.crypto.signing.key=_d6j3pacsAy_V7WP55RB-H0HtwfSawKav6aV8rUPuRPBDqDhAeJXpqjrtZwqTiUPkNOz2jcb5nLqJJ73ygqROw cas.authn.oauth.access-token.crypto.encryption.key=8wK97XDbYzeDhSzZgfcFWp3SHW_Lr-h69cGtWYZjJz0 cas.authn.oidc.core.user-defined-scopes.memberof=memberof cas.authn.oidc.discovery.scopes=openid,profile,email,address,phone,memberof cas.authn.oidc.discovery.claims=sub,name,email,family_name,given_name,memberof cas.authn.oidc.id-token.include-id-token-claims=true cas.authn.oidc.core.claims-map.email=mail cas.authn.oidc.core.claims-map.memberof=memberOf cas.authn.oidc.core.claims-map.name=cn cas.authn.oidc.core.claims-map.family_name=sn cas.authn.oidc.core.claims-map.given_name=givenName cas.authn.oidc.core.claims-map.sub=uidNumber cas.authn.oidc.jwks.file-system.jwks-file=file:///etc/cas/config/keystore.jwks There was no problem to authentify a service like this Gitea instance : { "@class" : "org.apereo.cas.services.OidcRegisteredService", "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", "allowedAttributes" : [ "java.util.ArrayList", [ "sn", "givenName", "displayName", "mail"] ] }, "clientId": "gitea01", "clientSecret": "862E68E1-3973-40AF-BEB0-5A981C901F37", "supportedResponseTypes": [ "java.util.HashSet", [ "code", "id_token" ] ], "scopes" : [ "java.util.HashSet", [ "openid", "profile", "email", "memberof" ] ], "serviceId" : "https://my_gitea_server/user/oauth2/SSODEV_OIDC/callback(.*)", "name" : "gitea01", "description" : "GITEA Infra test", "evaluationOrder" : 5, "allowedToProxy" : false, "anonymousAccess" : false, "ignoreAttributes" : false, "multifactorPolicy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy", "bypassEnabled": false, "forceExecution": false }, "accessStrategy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", "enabled" : true, "ssoEnabled" : true, "caseInsensitive" : false }, "id" : 5 } But with 7.2.3, I can not pass the login form, it loops on it. And I have seen this expection in the logs : 2025-06-27 18:27:29,830 WARN [org.apereo.cas.web.support.gen.CookieRetrievingCookieGenerator] - <DecryptionException> org.apereo.cas.util.crypto.DecryptionException: null at org.apereo.cas.util.EncodingUtils.decryptJwtValue(EncodingUtils.java:480) ~[cas-server-core-util-api-7.2.3.jar:7.2.3] at org.apereo.cas.util.cipher.BaseStringCipherExecutor.verifyAndDecrypt(BaseStringCipherExecutor.java:283) ~[cas-server-core-util-api-7.2.3.jar:7.2.3] at org.apereo.cas.util.cipher.BaseStringCipherExecutor.decode(BaseStringCipherExecutor.java:129) ~[cas-server-core-util-api-7.2.3.jar:7.2.3] at org.apereo.cas.util.cipher.BaseStringCipherExecutor.decode(BaseStringCipherExecutor.java:123) ~[cas-server-core-util-api-7.2.3.jar:7.2.3] at org.apereo.cas.util.cipher.BaseStringCipherExecutor.decode(BaseStringCipherExecutor.java:37) ~[cas-server-core-util-api-7.2.3.jar:7.2.3] at org.apereo.cas.web.support.mgmr.EncryptedCookieValueManager.obtainCookieValue(EncryptedCookieValueManager.java:52) ~[cas-server-core-cookie-api-7.2.3.jar:7.2.3] at org.apereo.cas.web.cookie.CookieValueManager.obtainCookieValue(CookieValueManager.java:42) ~[cas-server-core-api-cookie-7.2.3.jar:7.2.3] at org.apereo.cas.web.support.gen.CookieRetrievingCookieGenerator.lambda$retrieveCookieValue$0(CookieRetrievingCookieGenerator.java:150) ~[cas-server-core-cookie-api-7.2.3.jar:7.2.3] at java.base/java.util.Optional.map(Optional.java:260) ~[?:?] at org.apereo.cas.web.support.gen.CookieRetrievingCookieGenerator.retrieveCookieValue(CookieRetrievingCookieGenerator.java:150) ~[cas-server-core-cookie-api-7.2.3.jar:7.2.3] at org.apereo.cas.web.flow.login.VerifyRequiredServiceAction.doExecuteInternal(VerifyRequiredServiceAction.java:47) ~[cas-server-support-actions-core-7.2.3.jar Is there something I need to configure, maybe a parameter with a new default value I had never set before ? Thanks for any help Regards ________________________________ FreeMail powered by mail.fr<https://mail.fr/> -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/bfb83d961fe97ff9679fdf9ba883b30d627dee0a%40mail.de<https://groups.google.com/a/apereo.org/d/msgid/cas-user/bfb83d961fe97ff9679fdf9ba883b30d627dee0a%40mail.de?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/YQBP288MB00813668DB5FDC65CF84893BCE45A%40YQBP288MB0081.CANP288.PROD.OUTLOOK.COM.
