Apereo CAS OAuth2: callbackAuthorize switch Location to HTTP

518 views Asked by At

I have setup a CAS server and I have configured a service for my client-application:

{
  "@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
  "clientId": "*********",
  "clientSecret": "*****************",
  "serviceId" : "^(http|https|imaps)://.*coll.mydomain.org.*",
  "name" : "Angular OAuth2 App",
  "id" : 10000013,
  "supportedGrantTypes": [ "java.util.HashSet", [ "implicit", "refresh_token", "client_credentials" ] ],
  "supportedResponseTypes": [ "java.util.HashSet", [ "token" ] ],
  "bypassApprovalPrompt" : true,
  "jsonFormat" : true,
  "attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
  },
  "logoutUrl" : "https://sso.coll.mydomain.org/cas/logout"
}

After the user has submitted the login form with is (correct) credentials, the OAuth2 flow goes on and produces this http request

GET https://sso.coll.mydomain.org/cas/oauth2.0/callbackAuthorize?client_id=*************&redirect_uri=https://myclientapp.coll.mydomain.org&response_type=token&client_name=CasOAuthClient&ticket=ST-*********************************************

which gets this (wrong) Location Response Header in which the protocol has switched from HTTPS to HTTP:

location: http://sso.coll.mydomain.org/cas/oauth2.0/authorize?response_type=token&client_id=*************&redirect_uri=https%3A%2F%2Fmyclientapp.coll.mydomain.org

This is a problem because (correctly) interrupts the user-webflow on Chrome with this warning:

"The information you are sending aren't protected"

In the cas.properties:

cas.server.name: https://sso.coll.mydomain.org
cas.server.prefix: https://sso.coll.mydomain.org/cas

Can anyone suggest me what configuration does make CAS to change the protocol in the Response Location Header?

Any suggests will be appreciated. Thanks to all.

1

There are 1 answers

0
piccarsa On

Ok guys, a simple CAS restart resolved the issue. But the reason remains a mistery.