You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
AuthType CAS
AuthName "CAS"
CASScope /
Require valid-user
After successful authentication user is redirected back to the wiki-application where `mod_auth_cas` fails to validate the CAS-ticket. The following validation request gives HTTP Status 400 - Bad Request: [https://keycloak.[org].se/realms/[realm]/protocol/cas/samlValidate?TARGET=https%3a%2f%2fwiki.[org].se%2fwiki%2f\xc3\x96vervakning](https://keycloak.[org].se/realms/%5Brealm%5D/protocol/cas/samlValidate?TARGET=https%3a%2f%2fwiki.%5Borg%5D.se%2fwiki%2f%5Cxc3%5Cx96vervakning).
Keycloak logs: [org.keycloak.protocol.cas.endpoints.SamlValidateEndpoint] (executor-thread-93) Invalid SAML1.1 token Code not valid
Other requests to the same endpoint, without \xXX UTF-8 encoded characters, validates just fine.
The problem is how mod_auth_cas mixes encodings. The character Ö in the example above is encoded using \xXX-style encoding, where as the rest of the URL uses %xx-style encoding. @jacekkow claims Keycloak, as in keycloak-protocol-cas-provider, is correct in returning HTTP Status 400, see: jacekkow/keycloak-protocol-cas#78. I agree with him. mod_auth_cas needs to be consistent in using %xx-style encoding of URL.
The text was updated successfully, but these errors were encountered:
Hi.
We are currently trying to migrate all our CAS enabled applications to Keycloak using
keycloak-protocol-casprovider. Among those applications we have an instance of MediaWiki. Beeing a Swedish organisation many user created pages contains non-ASCII characters in their title, thus also in the URL. I.e. https://wiki.[org].se/wiki/Övervakning. If this is the first page a user accesses, they will be required to authenicate themselves and gets redirected to Keycloak: https://keycloak.[org].se/realms/[realm]/protocol/cas/login?service=https%3a%2f%2fwiki.[org].se%2fwiki%2f%C3%96vervakningThe wiki handles authentication in Apache HTTPD using mod_auth_cas (snippet with relevant VHost configuration):
CASLoginURL https://keycloak.[org].se/realms/[realm]/protocol/cas/login
AuthType CAS AuthName "CAS" CASScope / Require valid-user After successful authentication user is redirected back to the wiki-application where `mod_auth_cas` fails to validate the CAS-ticket. The following validation request gives HTTP Status 400 - Bad Request: [https://keycloak.[org].se/realms/[realm]/protocol/cas/samlValidate?TARGET=https%3a%2f%2fwiki.[org].se%2fwiki%2f\xc3\x96vervakning](https://keycloak.[org].se/realms/%5Brealm%5D/protocol/cas/samlValidate?TARGET=https%3a%2f%2fwiki.%5Borg%5D.se%2fwiki%2f%5Cxc3%5Cx96vervakning). Keycloak logs: [org.keycloak.protocol.cas.endpoints.SamlValidateEndpoint] (executor-thread-93) Invalid SAML1.1 token Code not validCASValidateSAML On
CASValidateURL https://keycloak.[org].se/realms/[realm]/protocol/cas/samlValidate
Other requests to the same endpoint, without
\xXXUTF-8 encoded characters, validates just fine.The problem is how
mod_auth_casmixes encodings. The characterÖin the example above is encoded using\xXX-style encoding, where as the rest of the URL uses%xx-style encoding. @jacekkow claims Keycloak, as inkeycloak-protocol-cas-provider, is correct in returning HTTP Status 400, see: jacekkow/keycloak-protocol-cas#78. I agree with him.mod_auth_casneeds to be consistent in using%xx-style encoding of URL.The text was updated successfully, but these errors were encountered: