[cas-user] [7.2.3] OIDC problems

spfma.tech via CAS Community Fri, 27 Jun 2025 11:03:55 -0700

Hi, I was using the following configuration with CAS 7.0.5.1 :    
#################
# OIDC / OAuth2 #
#################
cas.authn.token.crypto.enabled=false
cas.authn.token.crypto.encryption-enabled=false 
cas.authn.oauth.session-replication.cookie.crypto.signing.key=H7-MYjp5M2e9hq_DIhOdR73X1cfTaabRFowiLJI0LhC4Cbb4FVNDFV30yJn0i9q68QWS0y3f1OTfJ9nno_Hjuw
cas.authn.oidc.core.issuer=${cas.server.prefix}/oidc
cas.authn.oidc.core.accepted-issuers-pattern=.* 
cas.authn.oauth.crypto.encryption.key=0ZJCKvFSVO6PUKlzUqWzE5eXDerK_T7G1oSfGHfaAGM
cas.authn.oauth.crypto.signing.key=_d6j3pacsAy_V7WP55RB-H0HtwfSawKav6aV8rUPuRPBDqDhAeJXpqjrtZwqTiUPkNOz2jcb5nLqJJ73ygqROw
cas.authn.oauth.access-token.crypto.encryption.key=8wK97XDbYzeDhSzZgfcFWp3SHW_Lr-h69cGtWYZjJz0
cas.authn.oidc.core.user-defined-scopes.memberof=memberof
cas.authn.oidc.discovery.scopes=openid,profile,email,address,phone,memberof
cas.authn.oidc.discovery.claims=sub,name,email,family_name,given_name,memberof
cas.authn.oidc.id-token.include-id-token-claims=true 
cas.authn.oidc.core.claims-map.email=mail
cas.authn.oidc.core.claims-map.memberof=memberOf
cas.authn.oidc.core.claims-map.name=cn
cas.authn.oidc.core.claims-map.family_name=sn
cas.authn.oidc.core.claims-map.given_name=givenName
cas.authn.oidc.core.claims-map.sub=uidNumber 
cas.authn.oidc.jwks.file-system.jwks-file=file:///etc/cas/config/keystore.jwks  
 There was no problem to authentify a service like this Gitea instance :     {
"@class" : "org.apereo.cas.services.OidcRegisteredService",
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "sn", "givenName", 
"displayName", "mail"] ]
},
"clientId": "gitea01",
"clientSecret": "862E68E1-3973-40AF-BEB0-5A981C901F37",
"supportedResponseTypes": [ "java.util.HashSet", [ "code", "id_token" ] ],


"scopes" : [ "java.util.HashSet", [ "openid", "profile", "email", "memberof" ] 
], "serviceId" : "https://my_gitea_server/user/oauth2/SSODEV_OIDC/callback(.*)",
"name" : "gitea01",
"description" : "GITEA Infra test",
"evaluationOrder" : 5,
"allowedToProxy" : false,
"anonymousAccess" : false,
"ignoreAttributes" : false,
"multifactorPolicy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"bypassEnabled": false,
"forceExecution": false
},
"accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true,
"caseInsensitive" : false
},
"id" : 5
}   But with 7.2.3, I can not pass the login form, it loops on it.   And I have 
seen this expection in the logs :   2025-06-27 18:27:29,830 WARN 
[org.apereo.cas.web.support.gen.CookieRetrievingCookieGenerator] - 
org.apereo.cas.util.crypto.DecryptionException: null
at org.apereo.cas.util.EncodingUtils.decryptJwtValue(EncodingUtils.java:480) 
~[cas-server-core-util-api-7.2.3.jar:7.2.3]
at 
org.apereo.cas.util.cipher.BaseStringCipherExecutor.verifyAndDecrypt(BaseStringCipherExecutor.java:283)
 ~[cas-server-core-util-api-7.2.3.jar:7.2.3]
at 
org.apereo.cas.util.cipher.BaseStringCipherExecutor.decode(BaseStringCipherExecutor.java:129)
 ~[cas-server-core-util-api-7.2.3.jar:7.2.3]
at 
org.apereo.cas.util.cipher.BaseStringCipherExecutor.decode(BaseStringCipherExecutor.java:123)
 ~[cas-server-core-util-api-7.2.3.jar:7.2.3]
at 
org.apereo.cas.util.cipher.BaseStringCipherExecutor.decode(BaseStringCipherExecutor.java:37)
 ~[cas-server-core-util-api-7.2.3.jar:7.2.3]
at 
org.apereo.cas.web.support.mgmr.EncryptedCookieValueManager.obtainCookieValue(EncryptedCookieValueManager.java:52)
 ~[cas-server-core-cookie-api-7.2.3.jar:7.2.3]
at 
org.apereo.cas.web.cookie.CookieValueManager.obtainCookieValue(CookieValueManager.java:42)
 ~[cas-server-core-api-cookie-7.2.3.jar:7.2.3]
at 
org.apereo.cas.web.support.gen.CookieRetrievingCookieGenerator.lambda$retrieveCookieValue$0(CookieRetrievingCookieGenerator.java:150)
 ~[cas-server-core-cookie-api-7.2.3.jar:7.2.3]
at java.base/java.util.Optional.map(Optional.java:260) ~[?:?]
at 
org.apereo.cas.web.support.gen.CookieRetrievingCookieGenerator.retrieveCookieValue(CookieRetrievingCookieGenerator.java:150)
 ~[cas-server-core-cookie-api-7.2.3.jar:7.2.3]
at 
org.apereo.cas.web.flow.login.VerifyRequiredServiceAction.doExecuteInternal(VerifyRequiredServiceAction.java:47)
 ~[cas-server-support-actions-core-7.2.3.jar   Is there something I need to 
configure, maybe a parameter with a new default value I had never set before ?  
 Thanks for any help   Regards         

-------------------------------------------------------------------------------------------------
FreeMail powered by mail.fr

-- 
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/bfb83d961fe97ff9679fdf9ba883b30d627dee0a%40mail.de.

[cas-user] [7.2.3] OIDC problems

Reply via email to