我目前正在使用6.1版的CAS。 我启用了OIDC并创建了也可以正常使用的服务。
我遇到的问题是,每次登录时,用户都会被重定向到批准/同意屏幕,在该屏幕上他必须允许服务访问。
根据文档,OidcRegisteredService扩展了OAuthRegisteredService,并且OAuth服务的可用配置参数也适用于OIDC服务。
因此,我使用了参数“ bypassApprovalPrompt”:true
不幸的是,这根本没有用。
在进一步调查中,我发现了配置类org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy 在其中将“启用”键设置为false。
这也不起作用。
2019-05-17 16:38:54,041 TRACE [org.apereo.cas.support.oauth.web.views.OAuth20ConsentApprovalViewResolver] - <Bypassing approval prompt for service [OidcRegisteredService(super=OAuthRegisteredService(super=AbstractRegisteredService(serviceId=^http://(onlineservice2|ncvosproxy2-.+)\.company\.de(:[0-9]+)?(/.*)?, name=Onlineservice, theme=null, informationUrl=null, privacyUrl=null, responseType=null, id=2010, expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, notifyWhenDeleted=false, expirationDate=null), proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, proxyTicketExpirationPolicy=null, serviceTicketExpirationPolicy=null, singleSignOnParticipationPolicy=null, evaluationOrder=0, usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@87297e2, logoutType=BACK_CHANNEL, requiredHandlers=[], environments=[], attributeReleasePolicy=ReturnAllAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, principalAttributesRepository=DefaultPrincipalAttributesRepository(), consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=false, excludedAttributes=null, includeOnlyAttributes=null), authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=false, authorizedToReleaseAuthenticationAttributes=true, principalIdAttribute=null, order=0)), multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[], failureMode=UNDEFINED, principalAttributeNameTrigger=null, principalAttributeValueToMatch=null, bypassEnabled=false), logo=./images/onlineservice.svg, logoutUrl=null, accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[], permitUndefined=true), requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), publicKey=null, properties={}, contacts=[]), clientSecret=xxxxxxxxxxxxxx, clientId=onlineservice, bypassApprovalPrompt=true, generateRefreshToken=false, jwtAccessToken=false, supportedGrantTypes=[], supportedResponseTypes=[]), jwks=null, jwksAuthenticationMethod=client_secret_basic, signIdToken=true, encryptIdToken=true, idTokenEncryptionAlg=null, idTokenSigningAlg=null, idTokenEncryptionEncoding=null, sectorIdentifierUri=null, applicationType=web, subjectType=public, dynamicallyRegistered=false, implicit=false, dynamicRegistrationDateTime=null, scopes=[])]: [null]>
2019-05-17 16:38:54,042 TRACE [org.apereo.cas.support.oauth.web.views.OAuth20ConsentApprovalViewResolver] - <callbackUrl: [https://sso2.company.de:8443/cas/oidc/authorize?response_type=code&scope=openid&client_id=onlineservice&state=Ev9kuSd-M6eB7inyzc8MimIBP9Q&redirect_uri=http%3A%2F%2Fonlineservice2.company.de%2Fsecure%2Fredirect_uri&nonce=H_n_BDMb3scnes75g-qra5pzKvUL-O1zYs_HlnoM8T8]>
我的目标是绕开任何同意屏幕。
答案 0 :(得分:0)
bypassApprovalPrompt应该可以完成这项工作。似乎CAS 6.1的更高版本已纠正了此问题,如此处所述:https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/bypassApprovalPrompt%7Csort:date/cas-user/x6MxkLv4bVo/ta7HMEi5BAAJ