Hi, Any idea if there's a way to whitelist some IPs for which `cas.view.default-redirect-url` does not apply?
I know this might be a long shot, but it can't hurt to ask. On Friday, January 29, 2021 at 11:59:06 PM UTC+2 Ray Bon wrote: > Yan, > > A partial solution is 'cas.view.default-redirect-url' which can be found > here, > https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties.html#views. > > Lets you specify where to go when no service param is supplied. > > Ray > > > > On Fri, 2021-01-29 at 13:21 -0800, Yan Zhou wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > Hello, > > We noticed an issue on CAS 5.3 with OIDC. I finally realized what maybe > going on, but do not have a solution. > > App uses CAS for authentication via OIDC, App redirects to CAS login page. > When people bookmark the apps, the first opportunity they have is the CAS > login page, the URL usually reads like this: > > https://....../cas/login?service=https://app.com > > Next time, they use the bookmark and go straight to this URL, as oppose to > let App redirect to CAS. This is where the problem comes with OIDC. > > Here is the flow when user type up the App endpoint in browser and let App > redirect: > > GET /cas/oidc/authorize/...... (this is due to the OIDC client in App > side, crucial first step) > GET /cas/login?service=.....cas/oauth2.0/callbackAuthorize/.... > > login page shows up, user bookmarks it, and enter credentials > > POST /cas/login?service=.....cas/oauth2.0/callbackAuthorize/.... > GET /cas5/p3/serviceValidate?ticket= > GET /cas5/oauth2.0/callbackAuthorize?client_id= > GET /cas5/oidc/authorize?client_id= > > After user logout, and close browser, Restart browser, they use the saved > bookmark. Now the flow is showing CAS login page immediately without going > through the first endpoint on /odic/authorize (see above). > > When user login, they are redirected to root /, as oppose to proceed to > /oidc/authorize endpoint, this is due to how pac4j works. it almost like a > stack pushing/popping, and we did not anything to pop, so we default to > root. The root is usually the wrong page, such as the Tomcat welcome page > or the domain root. > > This is fairly consistently seen on IE. > > Does that make sense? I think this could be happening with any > bookmarked CAS login page with service parameter and will be seen in OIDC > client apps. > > Any idea to work around or fix this? > > Thanks, > Yan > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 <(250)%20721-8831> | CLE 019 | rb...@uvic.ca > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c784d814-6bd4-4bc5-83f2-53754511be8en%40apereo.org.
