There should be more to that error. Send the start of the trace. There was an
issue involving crypto keys from 7.0 to 7.1/7.2.
________________________________
From: spfma.tech via CAS Community <cas-user@apereo.org>
Sent: Friday, June 27, 2025 12:34 PM
To: cas-user@apereo.org <cas-user@apereo.org>
Subject: [cas-user] [7.2.3] OIDC problems
Hi,
I was using the following configuration with CAS 7.0.5.1 :
#################
# OIDC / OAuth2 #
#################
cas.authn.token.crypto.enabled=false
cas.authn.token.crypto.encryption-enabled=false
cas.authn.oauth.session-replication.cookie.crypto.signing.key=H7-MYjp5M2e9hq_DIhOdR73X1cfTaabRFowiLJI0LhC4Cbb4FVNDFV30yJn0i9q68QWS0y3f1OTfJ9nno_Hjuw
cas.authn.oidc.core.issuer=${cas.server.prefix}/oidc
cas.authn.oidc.core.accepted-issuers-pattern=.*
cas.authn.oauth.crypto.encryption.key=0ZJCKvFSVO6PUKlzUqWzE5eXDerK_T7G1oSfGHfaAGM
cas.authn.oauth.crypto.signing.key=_d6j3pacsAy_V7WP55RB-H0HtwfSawKav6aV8rUPuRPBDqDhAeJXpqjrtZwqTiUPkNOz2jcb5nLqJJ73ygqROw
cas.authn.oauth.access-token.crypto.encryption.key=8wK97XDbYzeDhSzZgfcFWp3SHW_Lr-h69cGtWYZjJz0
cas.authn.oidc.core.user-defined-scopes.memberof=memberof
cas.authn.oidc.discovery.scopes=openid,profile,email,address,phone,memberof
cas.authn.oidc.discovery.claims=sub,name,email,family_name,given_name,memberof
cas.authn.oidc.id-token.include-id-token-claims=true
cas.authn.oidc.core.claims-map.email=mail
cas.authn.oidc.core.claims-map.memberof=memberOf
cas.authn.oidc.core.claims-map.name=cn
cas.authn.oidc.core.claims-map.family_name=sn
cas.authn.oidc.core.claims-map.given_name=givenName
cas.authn.oidc.core.claims-map.sub=uidNumber
cas.authn.oidc.jwks.file-system.jwks-file=file:///etc/cas/config/keystore.jwks
There was no problem to authentify a service like this Gitea instance :
{
"@class" : "org.apereo.cas.services.OidcRegisteredService",
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "sn", "givenName",
"displayName", "mail"] ]
},
"clientId": "gitea01",
"clientSecret": "862E68E1-3973-40AF-BEB0-5A981C901F37",
"supportedResponseTypes": [ "java.util.HashSet", [ "code", "id_token" ] ],
"scopes" : [ "java.util.HashSet", [ "openid", "profile", "email", "memberof" ]
],
"serviceId" : "https://my_gitea_server/user/oauth2/SSODEV_OIDC/callback(.*)",
"name" : "gitea01",
"description" : "GITEA Infra test",
"evaluationOrder" : 5,
"allowedToProxy" : false,
"anonymousAccess" : false,
"ignoreAttributes" : false,
"multifactorPolicy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"bypassEnabled": false,
"forceExecution": false
},
"accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true,
"caseInsensitive" : false
},
"id" : 5
}
But with 7.2.3, I can not pass the login form, it loops on it.
And I have seen this expection in the logs :
2025-06-27 18:27:29,830 WARN
[org.apereo.cas.web.support.gen.CookieRetrievingCookieGenerator] -
<DecryptionException>
org.apereo.cas.util.crypto.DecryptionException: null
at org.apereo.cas.util.EncodingUtils.decryptJwtValue(EncodingUtils.java:480)
~[cas-server-core-util-api-7.2.3.jar:7.2.3]
at
org.apereo.cas.util.cipher.BaseStringCipherExecutor.verifyAndDecrypt(BaseStringCipherExecutor.java:283)
~[cas-server-core-util-api-7.2.3.jar:7.2.3]
at
org.apereo.cas.util.cipher.BaseStringCipherExecutor.decode(BaseStringCipherExecutor.java:129)
~[cas-server-core-util-api-7.2.3.jar:7.2.3]
at
org.apereo.cas.util.cipher.BaseStringCipherExecutor.decode(BaseStringCipherExecutor.java:123)
~[cas-server-core-util-api-7.2.3.jar:7.2.3]
at
org.apereo.cas.util.cipher.BaseStringCipherExecutor.decode(BaseStringCipherExecutor.java:37)
~[cas-server-core-util-api-7.2.3.jar:7.2.3]
at
org.apereo.cas.web.support.mgmr.EncryptedCookieValueManager.obtainCookieValue(EncryptedCookieValueManager.java:52)
~[cas-server-core-cookie-api-7.2.3.jar:7.2.3]
at
org.apereo.cas.web.cookie.CookieValueManager.obtainCookieValue(CookieValueManager.java:42)
~[cas-server-core-api-cookie-7.2.3.jar:7.2.3]
at
org.apereo.cas.web.support.gen.CookieRetrievingCookieGenerator.lambda$retrieveCookieValue$0(CookieRetrievingCookieGenerator.java:150)
~[cas-server-core-cookie-api-7.2.3.jar:7.2.3]
at java.base/java.util.Optional.map(Optional.java:260) ~[?:?]
at
org.apereo.cas.web.support.gen.CookieRetrievingCookieGenerator.retrieveCookieValue(CookieRetrievingCookieGenerator.java:150)
~[cas-server-core-cookie-api-7.2.3.jar:7.2.3]
at
org.apereo.cas.web.flow.login.VerifyRequiredServiceAction.doExecuteInternal(VerifyRequiredServiceAction.java:47)
~[cas-server-support-actions-core-7.2.3.jar
Is there something I need to configure, maybe a parameter with a new default
value I had never set before ?
Thanks for any help
Regards
________________________________
FreeMail powered by mail.fr<https://mail.fr>
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/bfb83d961fe97ff9679fdf9ba883b30d627dee0a%40mail.de<https://groups.google.com/a/apereo.org/d/msgid/cas-user/bfb83d961fe97ff9679fdf9ba883b30d627dee0a%40mail.de?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/MN6PR18MB5466B2614895558676DBBADCDB45A%40MN6PR18MB5466.namprd18.prod.outlook.com.
