Cas authentication redirect to logout page
-
WHO: uni
WHAT: [UsernamePasswordCredential(username=uni, source=null, customFields={})]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Sat Apr 17 07:52:42 UTC 2021
CLIENT IP ADDRESS: 182.2.x.x
SERVER IP ADDRESS: 185.53.x.x
=============================================================>
2021-04-17 07:52:42,983 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] – <Audit trail record BEGIN
=============================================================
WHO: uni
WHAT: {result=Service Access Granted, principal=SimplePrincipal(id=uni, attributes={}), service=https://db.ecampuz.net/wp-login.php?external=cas, requiredAttributes={}}
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Sat Apr 17 07:52:42 UTC 2021
CLIENT IP ADDRESS: 182.2.x.x
SERVER IP ADDRESS: 185.53.x.x
=============================================================>
2021-04-17 07:52:43,023 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] – <Audit trail record BEGIN
=============================================================
WHO: uni
WHAT: {result=Service Access Granted, principal=SimplePrincipal(id=uni, attributes={}), service=https://db.ecampuz.net/wp-login.php?external=cas, requiredAttributes={}}
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Sat Apr 17 07:52:43 UTC 2021
CLIENT IP ADDRESS: 182.2.x.x
SERVER IP ADDRESS: 185.53.x.x
=============================================================>
2021-04-17 07:52:43,055 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] – <Audit trail record BEGIN
=============================================================
WHO: uni
WHAT: TGT-1-*****aUYLzjIcL8-jaran
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Sat Apr 17 07:52:43 UTC 2021
CLIENT IP ADDRESS: 182.2.x.x
SERVER IP ADDRESS: 185.53.x.x
=============================================================>
2021-04-17 07:52:43,076 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] – <Audit trail record BEGIN
=============================================================
WHO: uni
WHAT: {result=Service Access Granted, service=https://db.ecampuz.net/wp-login.php?external=cas, requiredAttributes={}}
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Sat Apr 17 07:52:43 UTC 2021
CLIENT IP ADDRESS: 182.2.x.x
SERVER IP ADDRESS: 185.53.x.x
=============================================================>
2021-04-17 07:52:43,084 INFO [org.apereo.cas.DefaultCentralAuthenticationService] – <Granted service ticket [ST-1-LHl0FsPPQjdVnXrnqEbrcq7v6Ag-jaran] for service [https://db.ecampuz.net/wp-login.php?external=cas] and principal [uni]>
2021-04-17 07:52:43,088 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] – <Audit trail record BEGIN
=============================================================
WHO: uni
WHAT: {service=https://db.ecampuz.net/wp-login.php?external=cas, return=ST-1-LHl0FsPPQjdVnXrnqEbrcq7v6Ag-jaran}
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Sat Apr 17 07:52:43 UTC 2021
CLIENT IP ADDRESS: 182.2.x.x
SERVER IP ADDRESS: 185.53.x.x
=============================================================>
2021-04-17 07:52:44,065 INFO [org.apereo.cas.logout.DefaultLogoutManager] – <Performing logout operations for [TGT-1-*****aUYLzjIcL8-jaran]>
2021-04-17 07:52:44,131 INFO [org.apereo.cas.logout.DefaultLogoutManager] – <[1] logout requests were processed>
2021-04-17 07:52:44,133 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] – <Audit trail record BEGIN
=============================================================
WHO: uni
WHAT: TGT-1-*****aUYLzjIcL8-jaran
ACTION: TICKET_DESTROYED
APPLICATION: CAS
WHEN: Sat Apr 17 07:52:44 UTC 2021
CLIENT IP ADDRESS: 182.2.x.x
SERVER IP ADDRESS: 185.53.x.x
=============================================================I ran into the same issue.
When WordPress redirects you to CAS, it sets the current URL as the service parameter. CAS uses this URL to redirect you back to WordPress. For example when you login you get redirected to:
https://cas.example.com/cas/login?service=your-domain/wp-login.php?external=cas
After authentication, CAS redirects you back to WordPress. However the redirect makes you visit /wp-login.php again, which causes a logout.
I solved it by specifying a redirect URL line to my config in the CAS JSON Service Registry:
{ @class: org.apereo.cas.services.RegexRegisteredService // name, description, etc redirectUrl: http://my-domain.com // note the lack of /wp-login.php here }Thanks for pointing me in the right direction. I’ve managed to find a solution suitable for local development.
First I enabled logging by un-commenting this line:
https://github.com/uhm-coe/authorizer/blob/6a4848030c45a34ad33376c288191d10d6673e0a/src/authorizer/class-authentication.php#L780Reading through the logs reveals that it’s
phpCASrelated. The request here:
https://github.com/apereo/phpCAS/blob/master/source/CAS/Client.php#L3042
fails with(CURL error #60: SSL certificate problem: self signed certificate).My CAS is running on localhost with a self signed certificate.
After exporting my certificate onhttps://localhost:8445/casand appending it towp-includes/certificates/ca-bundle.crt, everything works as expected.For production I’ll use a real certificate ofcourse.
The log:
6751 .START (2021-04-29 11:06:01) phpCAS-1.3.8 ****************** [CAS.php:475] 6751 .=> phpCAS::forceAuthentication() [class-authentication.php:781] 6751 .| => CAS_Client::forceAuthentication() [CAS.php:1120] 6751 .| | => CAS_Client::isAuthenticated() [Client.php:1286] 6751 .| | | => CAS_Client::_wasPreviouslyAuthenticated() [Client.php:1398] 6751 .| | | | no user found [Client.php:1640] 6751 .| | | <= false 6751 .| | | CAS 3.0 ticket ST-2-uF7XJNRgGBP6MkhLK-rlMawmhTY-ubuntu' is present [Client.php:1451] 6751 .| | | => CAS_Client::validateCAS20('', NULL, NULL, false) [Client.php:1454] 6751 .| | | | [Client.php:3216] 6751 .| | | | => CAS_Client::getServerServiceValidateURL() [Client.php:3222] 6751 .| | | | | => CAS_Client::getURL() [Client.php:453] 6751 .| | | | | <= 'http://127.0.0.1:8080/wordpress/wp-login.php?external=cas' 6751 .| | | | <= 'https://localhost:8445/cas/p3/serviceValidate?service=http%3A%2F%2F127.0.0.1%3A8080%2Fwordpress%2Fwp-login.php%3Fexternal%3Dcas' 6751 .| | | | => CAS_Client::_readURL('https://localhost:8445/cas/p3/serviceValidate?service=http%3A%2F%2F127.0.0.1%3A8080%2Fwordpress%2Fwp-login.php%3Fexternal%3Dcas&ticket=ST-2-uF7XJNRgGBP6MkhLK-rlMawmhTY-ubuntu', NULL, NULL, NULL) [Client.php:3237] 6751 .| | | | | => CAS_Request_CurlRequest::sendRequest() [AbstractRequest.php:242] 6751 .| | | | | | CURL: Set CURLOPT_CAINFO /home/bjz/wordpress-5.7-2/apps/wordpress/htdocs/wp-includes/certificates/ca-bundle.crt [CurlRequest.php:129] 6751 .| | | | | | curl_exec() failed [CurlRequest.php:77] 6751 .| | | | | <= false 6751 .| | | | <= false 6751 .| | | | could not open URL 'https://localhost:8445/cas/p3/serviceValidate?service=http%3A%2F%2F127.0.0.1%3A8080%2Fwordpress%2Fwp-login.php%3Fexternal%3Dcas&ticket=ST-2-uF7XJNRgGBP6MkhLK-rlMawmhTY-ubuntu' to validate (CURL error #60: SSL certificate problem: self signed certificate) [Client.php:3239] 6751 .| | | | => CAS_AuthenticationException::__construct(CAS_Client, 'Ticket not validated', 'https://localhost:8445/cas/p3/serviceValidate?service=http%3A%2F%2F127.0.0.1%3A8080%2Fwordpress%2Fwp-login.php%3Fexternal%3Dcas&ticket=ST-2-uF7XJNRgGBP6MkhLK-rlMawmhTY-ubuntu', true) [Client.php:3243] 6751 .| | | | | => CAS_Client::getURL() [AuthenticationException.php:77] 6751 .| | | | | <= 'http://127.0.0.1:8080/wordpress/wp-login.php?external=cas' 6751 .| | | | | CAS URL: https://localhost:8445/cas/p3/serviceValidate?service=http%3A%2F%2F127.0.0.1%3A8080%2Fwordpress%2Fwp-login.php%3Fexternal%3Dcas&ticket=ST-2-uF7XJNRgGBP6MkhLK-rlMawmhTY-ubuntu [AuthenticationException.php:80] 6751 .| | | | | Authentication failure: Ticket not validated [AuthenticationException.php:81] 6751 .| | | | | Reason: no response from the CAS server [AuthenticationException.php:83] 6751 .| | | | | exit() 6751 .| | | | | - 6751 .| | | | - 6751 .| | | - 6751 .| | - 6751 .| - 6751 .=> phpCAS::logoutWithRedirectService('http://127.0.0.1:8080/wordpress/wp-login.php') [class-authentication.php:790] 6751 .| => CAS_Client::logout(array ( 'service' => 'http://127.0.0.1:8080/wordpress/wp-login.php',)) [CAS.php:1491] 6751 .| | Prepare redirect to : https://localhost:8445/cas/logout?service=http%3A%2F%2F127.0.0.1%3A8080%2Fwordpress%2Fwp-login.php [Client.php:1701] 6751 .| | Destroying session : otkcqgo5e69ok6d0ufor0lmnj5 [Client.php:1703] 6751 .| | Session terminated [Client.php:1707] 6751 .| | exit() 6751 .| | - 6751 .| -
- The topic ‘Cas authentication redirect to logout page’ is closed to new replies.
