Strange error on CAS login

[jgribonvald]

Hi I'm having a strange error on CAS login.

When the user is redirected to CAS and that the user need to connect on I'm getting always an error with this log:

greenlight-v2                   | 2020-11-16 15:06:34 +0000 - INFO: [2d398464-f8cb-40b1-8713-79ea94f31cf7] method=GET path=/b/signin format=html controller=SessionsController action=signin status=302 duration=7.44 view=0.00 db=1.09 location=https://my.domain.edu/b/auth/cas host=greenlight 
greenlight-v2                   | 2020-11-16 15:06:34 +0000 - INFO: [674ea324-886f-4b14-a7c7-408d7dccbc1a] (cas) Request phase initiated.
greenlight-v2                   | 2020-11-16 15:06:34 +0000 - INFO: [9f27ac04-42f9-421b-b72f-660411a11767] method=GET path=/b/signin format=html controller=SessionsController action=signin status=302 duration=7.29 view=0.00 db=1.17 location=https://my.domain.edu/b/auth/cas host=greenlight 
greenlight-v2                   | 2020-11-16 15:06:34 +0000 - INFO: [febc8386-a3a7-45d7-b489-1e5cfad4d7b9] (cas) Request phase initiated. 
greenlight-v2                   | 2020-11-16 15:06:39 +0000 - INFO: [c84bcaf0-75e3-4983-a11a-799c8df68342] (cas) Callback phase initiated. 
greenlight-v2                   | 2020-11-16 15:06:39 +0000 - ERROR: [c84bcaf0-75e3-4983-a11a-799c8df68342] (cas) Authentication failure! invalid_ticket: OmniAuth::Strategies::CAS::InvalidCASTicket, Invalid CAS Ticket
greenlight-v2                   | 2020-11-16 15:06:39 +0000 - INFO: [3a80d0e2-ffb6-402f-b9b7-e870fc9bd585] method=GET path=/b/auth/failure format=html controller=SessionsController action=omniauth_fail status=302 duration=6.31 view=0.00 db=1.05 location=https://my.domain.edu/b/ host=greenlight

But if the user try to login again, or simply to log and that he is already logged in on CAS server we don't encounter the problem.

Do you know why we can get a such problem ?

Thanks

[vjt]

Hi @jgribonvald,

• Does this happen only with 2.0 or also with previous versions?
• The error is raised here, so I would put a byebug statement here to understand what part of the returned ticket by the CAS server you're using this gem is not liking
• I would also grab the CAS response and create a new test to fix it :-)

Would you have bandwidth to proceed with that? I don't have much at the moment.

Thank you!

[jgribonvald]

hi @vjt

The response ticket is the same on all case so I don't undertsand why it won't be validated ? When the user is already connected to CAS I don't get any error, but when not, I'm back to the app with an error and the user need to click again on authenticating button and this time it's passing (already connected to CAS is good).
Maybe the problem is with the time to run a Auth request ? as when the user need to fill his login information several seconds can append. That's the only difference that I can thougth !

On my case I'm providing a ticket with CAS3 information format (I've made the change on our customized cas on that way). But if you need I can provide you a test access on our CAS.

Thanks

[jgribonvald]

As a feedback this new version is working well, expect for the problem that I've filled. But In my case it's not a problem as the user should log to the app after they are already logged in CAS.

[jgribonvald]

As a feedback this new version is working well, expect for the problem that I've filled. But In my case it's not a problem as the user should log to the app after they are already logged in CAS.

I've found the problems about the login attenpt that is refused. The problem comes from the encoding or not of the service URL, I don't know why but the service url provided by greenlight at login and when validating tickets is encoded and sometimes not, so when validating the service the service url can defer and so CAS refuse it. I think there should be a paramater that permit to set to encode or not the service URL like other CAS client do.