CAS 6.1 - 糯米PHP

CAS 6.1

发布于 2020-04-13 10:40:18

I have set up CAS with LDAP/AD and database, which works. Now I want to add Keycloak, but I get an exception, regarding the state.

Caused by: org.pac4j.core.exception.TechnicalException: State parameter is different from the one sent in authentication request. Session expired or possible threat of cross-site request forgery

For testing I added Google, but a similar problem occurs.

DEBUG [org.pac4j.oauth.credentials.extractor.OAuth20CredentialsExtractor] - <sessionState: null / stateParameter: Optional[TST-1-v1va-S-4rLb45kax1568WxwP5aX-q2X]>
INFO [org.pac4j.oauth.client.Google2Client] - <Failed to retrieve or validate credentials: State parameter mismatch: session expired or possible threat of cross-site request forgery>

I can see the successful auth with token for both keyloak/google in the logs, which means keycloak/google work in principle. The problem seams to be, that after redirecting back to CAS, the session has already ended. The sessionstore inside the context is empty. Therefore, the state is null and can not be matched to the TST. When I set withState = false in pac4j everything works, but I want to use state for security.

In this question in a pac4j google group, someone had the same problem, because he didn't use the standard port, which I did too. But changing to 80/443 didn't solve it for me. I am running in a tomcat 9 with a selfsigned ssl cert on localhost.

Any other suggestions?

Edit
I am almost certain, the problem comes with the external tomcat. But so far I have not found an working documentation on how to setup the external tomcat correctly. Open for suggestions.

Update
Seams like cas-server-support-oauth-webflow is breaking the pac4j webflow. If I remove this dependency, it works. Don't know if it's a bug or supposed to work that way. Without OAuth-Webflow I don't get access_token for Ldap/database.

Michał Jereczek 2020-02-04 00:38

I had the same problem and managed to handle it with v6.2.0-RC2 version of cas. After adding

cas.authn.pac4j.replicateSessions=false

into my etc/cas/config/cas.properties it fixed problem for me.

From https://github.com/apereo/cas/blob/v6.2.0-RC2/docs/cas-server-documentation/configuration/Configuration-Properties.md#pac4j-delegated-authn:

# cas.authn.pac4j.typedIdUsed=false
# cas.authn.pac4j.principalAttributeId=
# cas.authn.pac4j.name=
# cas.authn.pac4j.order=
# cas.authn.pac4j.lazyInit=true
# cas.authn.pac4j.replicateSessions=true

From https://github.com/apereo/cas/blob/v6.2.0-RC2/api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/model/support/pac4j/Pac4jDelegatedAuthenticationProperties.java#L58:

 /**
 * Indicates whether profiles and other session data,
 * collected as part of pac4j flows and requests
 * that are kept by the container session, should be replicated
 * across the cluster using CAS and its own ticket registry.
 * Without this option, profile data and other related
 * pieces of information should be manually replicated
 * via means and libraries outside of CAS.
 */
 private boolean replicateSessions = true;

Warning - Default value for this property is true and changing to false is not recommented for clusters.

theshadog 2020-02-04 15:20:23

Works, thank you!

Related issues

Keycloak provider does not work when using Kotlin

Spring Security applying HttpSecurity filter before building user principal

Keycloak: Access token client-1 to manage client-2 resources

Keycloak RBAC for nginx reverse proxy

keycloak cluster on AWS (ECS)

Unable to validate the token from Keycloak

How to store external data in keycloak user model after registration

Keycloak behind apache reverse proxy

Why would there be a need for more than 1 realm in Keycloak?

Can't create Role using Keycloak REST API