also running into same issue with cas 7.1.3 after upgrading from cas 6.
I've trimmed down customization (no login webflow, no custom ui, no web
filters) I only have a custom authentication.
Interestingly enough, I had been using firefox, just tried with chrome and
i get a different error (my side probably with stripped down
customization). But at least not getting DecryptionException. Will try
commenting out my tgc encryption/signing keys and let CAS generate new ones
for me.
-psv
On Monday, February 10, 2025 at 10:07:52 AM UTC-6 Wickham, Jeremy wrote:
> I have regenerated the webflow and tgc keys. Users are still reporting the
> same behavior. I have narrowed it down to “mostly” the Firefox browser.
>
>
>
> Next step is to try to go to 7.1.x.
>
>
>
> Thanks for all of the input. If anyone else has other ideas, please let me
> know.
>
>
>
> Thanks,
>
> -Jeremy
>
>
>
> *From:* cas-...@apereo.org <cas-...@apereo.org> *On Behalf Of *Eugene
> Willis
> *Sent:* Wednesday, February 5, 2025 8:05 PM
> *To:* cas-...@apereo.org
> *Subject:* Re: [cas-user] RE: Odd mfa-duo behavior
>
>
>
> May need to update webflo and tgc keys for version 7 cas . Comment the old
> keys out to get the new ones.
>
> Sent from my iPhone
>
>
>
> On Feb 5, 2025, at 7:51 PM, Wickham, Jeremy <jeremy....@msstate.edu>
> wrote:
>
>
>
> I added some more classes into my log4j2.xml file and it is now printing a
> bit more information other than null –
>
>
>
> 2025-02-05 10:55:56,226 TRACE
> [org.apereo.cas.adaptors.duo.web.flow.action.DuoSecurityUniversalPromptValidateLoginAction]
>
> - <Received Duo Security state [REDACTED]>
>
> 2025-02-05 10:55:56,226 WARN
> [org.apereo.cas.adaptors.duo.web.flow.action.DuoSecurityUniversalPromptValidateLoginAction]
>
> - <java.lang.IllegalArgumentException: org.jooq.lambda.UncheckedException:
> org.jose4j.lang.JoseException: A JWS Compact Serialization must have
> exactly 3 parts separated by period ('.') characters>
>
> org.apereo.cas.util.crypto.DecryptionException:
> java.lang.IllegalArgumentException: org.jooq.lambda.UncheckedException:
> org.jose4j.lang.JoseException: A JWS Compact Serialization must have
> exactly 3 parts separated by period ('.') characters
>
> at
> org.apereo.cas.util.cipher.BaseBinaryCipherExecutor.decode(BaseBinaryCipherExecutor.java:96)
>
> ~[cas-server-core-util-api-7.0.9.jar:7.0.9]
>
> at
> org.apereo.cas.util.cipher.BaseBinaryCipherExecutor.decode(BaseBinaryCipherExecutor.java:36)
>
> ~[cas-server-core-util-api-7.0.9.jar:7.0.9]
>
> at
> org.apereo.cas.util.serialization.SerializationUtils.decodeAndDeserializeObject(SerializationUtils.java:140)
>
> ~[cas-server-core-util-api-7.0.9.jar:7.0.9]
>
> at
> org.apereo.cas.util.serialization.SerializationUtils.decodeAndDeserializeObject(SerializationUtils.java:156)
>
> ~[cas-server-core-util-api-7.0.9.jar:7.0.9]
>
> at
> org.apereo.cas.pac4j.BrowserWebStorageSessionStore.buildFromTrackableSession(BrowserWebStorageSessionStore.java:68)
>
> ~[cas-server-support-pac4j-api-7.0.9.jar:7.0.9]
>
> at
> org.apereo.cas.adaptors.duo.web.flow.action.DuoSecurityUniversalPromptValidateLoginAction.handleDuoSecurityUniversalPromptResponse(DuoSecurityUniversalPromptValidateLoginAction.java:96)
>
> ~[cas-server-support-duo-core-7.0.9.jar:7.0.9]
>
> at
> org.apereo.cas.adaptors.duo.web.flow.action.DuoSecurityUniversalPromptValidateLoginAction.doExecuteInternal(DuoSecurityUniversalPromptValidateLoginAction.java:72)
>
> ~[cas-server-support-duo-core-7.0.9.jar:7.0.9]
>
>
>
> Would appreciate any insight anyone might have.
>
>
>
> Thanks,
>
> -Jeremy
>
>
>
> *From:* cas-...@apereo.org <cas-...@apereo.org> *On Behalf Of *Wickham,
> Jeremy
> *Sent:* Tuesday, February 4, 2025 5:04 PM
> *To:* cas-...@apereo.org
> *Subject:* [cas-user] Odd mfa-duo behavior
>
>
>
> Here for the past week or so I have had quite a few users receive the MFA
> Unavailable screen after they Duo Authenticate. Duo shows a successful
> authentication, but when it is returned back to CAS, it appears to throw a
> DecryptionException. I cannot recreate this behavior myself, but I do have
> one coworker who can. I have turned on trace on quite a few packages to
> attempt to, I have found the following stacktrace, Any idea how I can
> diagnose this?
>
>
>
> 2025-02-04 15:09:52,977 TRACE
> [org.apereo.cas.adaptors.duo.web.flow.action.DuoSecurityUniversalPromptValidateLoginAction]
>
> - <Received Duo Security state [XXXXXXXXXXXXXXXXXXXXXXXXX]>
>
> 2025-02-04 15:09:52,977 WARN
> [org.apereo.cas.adaptors.duo.web.flow.action.DuoSecurityUniversalPromptValidateLoginAction]
>
> - <DecryptionException>
>
> org.apereo.cas.util.crypto.DecryptionException: null
>
> at
> org.apereo.cas.util.cipher.BaseBinaryCipherExecutor.decode(BaseBinaryCipherExecutor.java:96)
>
> ~[cas-server-core-util-api-7.0.9.jar:7.0.9]
>
> at
> org.apereo.cas.util.cipher.BaseBinaryCipherExecutor.decode(BaseBinaryCipherExecutor.java:36)
>
> ~[cas-server-core-util-api-7.0.9.jar:7.0.9]
>
> at
> org.apereo.cas.util.serialization.SerializationUtils.decodeAndDeserializeObject(SerializationUtils.java:140)
>
> ~[cas-server-core-util-api-7.0.9.jar:7.0.9]
>
> at
> org.apereo.cas.util.serialization.SerializationUtils.decodeAndDeserializeObject(SerializationUtils.java:156)
>
> ~[cas-server-core-util-api-7.0.9.jar:7.0.9]
>
> at
> org.apereo.cas.pac4j.BrowserWebStorageSessionStore.buildFromTrackableSession(BrowserWebStorageSessionStore.java:68)
>
> ~[cas-server-support-pac4j-api-7.0.9.jar:7.0.9]
>
> at
> org.apereo.cas.adaptors.duo.web.flow.action.DuoSecurityUniversalPromptValidateLoginAction.handleDuoSecurityUniversalPromptResponse(DuoSecurityUniversalPromptValidateLoginAction.java:96)
>
> ~[cas-server-support-duo-core-7.0.9.jar:7.0.9]
>
>
>
> Thanks,
>
> -Jeremy
>
>
>
> ________________________
>
> Jeremy Wickham
>
> Mississippi State University
>
> jeremy....@msstate.edu
>
> Webex Personal Room: https://msstate.webex.com/meet/jrw16
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+u...@apereo.org.
> To view this discussion visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CYYPR01MB83129872901186AC0E8E0E2899F42%40CYYPR01MB8312.prod.exchangelabs.com
>
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CYYPR01MB83129872901186AC0E8E0E2899F42%40CYYPR01MB8312.prod.exchangelabs.com?utm_medium=email&utm_source=footer>
> .
>
> --
> - Website: https://apereo.github.io/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+u...@apereo.org.
> To view this discussion visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CYYPR01MB831236C71C686D9D13257A6B99F72%40CYYPR01MB8312.prod.exchangelabs.com
>
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CYYPR01MB831236C71C686D9D13257A6B99F72%40CYYPR01MB8312.prod.exchangelabs.com?utm_medium=email&utm_source=footer>
> .
>
> --
> - Website: https://apereo.github.io/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+u...@apereo.org.
>
> To view this discussion visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/AA9FE9F7-D1CC-4143-AC35-64A74173564A%40gmail.com
>
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/AA9FE9F7-D1CC-4143-AC35-64A74173564A%40gmail.com?utm_medium=email&utm_source=footer>
> .
>
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ec19f921-24b4-47a9-ae6e-01656394f5acn%40apereo.org.
