I have setup a CAS server and I have configured a service for my client-application:
{
"@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
"clientId": "*********",
"clientSecret": "*****************",
"serviceId" : "^(http|https|imaps)://.*coll.mydomain.org.*",
"name" : "Angular OAuth2 App",
"id" : 10000013,
"supportedGrantTypes": [ "java.util.HashSet", [ "implicit", "refresh_token", "client_credentials" ] ],
"supportedResponseTypes": [ "java.util.HashSet", [ "token" ] ],
"bypassApprovalPrompt" : true,
"jsonFormat" : true,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"logoutUrl" : "https://sso.coll.mydomain.org/cas/logout"
}
After the user has submitted the login form with is (correct) credentials, the OAuth2 flow goes on and produces this http request
GET https://sso.coll.mydomain.org/cas/oauth2.0/callbackAuthorize?client_id=*************&redirect_uri=https://myclientapp.coll.mydomain.org&response_type=token&client_name=CasOAuthClient&ticket=ST-*********************************************
which gets this (wrong) Location Response Header in which the protocol has switched from HTTPS to HTTP:
location: http://sso.coll.mydomain.org/cas/oauth2.0/authorize?response_type=token&client_id=*************&redirect_uri=https%3A%2F%2Fmyclientapp.coll.mydomain.org
This is a problem because (correctly) interrupts the user-webflow on Chrome with this warning:
"The information you are sending aren't protected"
In the cas.properties:
cas.server.name: https://sso.coll.mydomain.org
cas.server.prefix: https://sso.coll.mydomain.org/cas
Can anyone suggest me what configuration does make CAS to change the protocol in the Response Location Header?
Any suggests will be appreciated. Thanks to all.
Ok guys, a simple CAS restart resolved the issue. But the reason remains a mistery.