apereo/cas

Apereo CAS - Single Sign On for All

Palmurugan

@palmuruganchandran

============= OAuth ==================================

cas.authn.oauth.access-token.crypto.encryption.key=92KEd0m4i9q0DjT8BoYRcN3MDjhhM4QSB6qR0elMhdVoKk4_RMW9jterIIVehJmoo5RMp5wbZtwyz7iHOtfFxw
cas.authn.oauth.access-token.crypto.signing.key=ucoR35oNkUPQzCmlmjFsqsdj2JRXrdjZKd58_a7LlFALIOn2ku8wL9ufdvkR9rkF4fG1J9ym_uH6aU53g_MqBQ
cas.authn.oauth.crypto.encryption.key=TSQouPQPwnOcEIbsWJ8ETWujJQy_SnEaOjGJ544UPVRl36fzu6AH0JjsUkHNWADfIUFli5hZ2uqy7uYvvByQTQ
cas.authn.oauth.crypto.signing.key=9yJv_k8A_AuJEjHtWb01GIuWenKPP4hG76mZLy4HL2ojhdEWN0EFlHws2Ms0fCtrqLP9bBc3TSQMOeOqkcilRg

cas.authn.oauth.code.number-of-uses=1
cas.authn.oauth.code.remove-related-access-tokens=false
cas.authn.oauth.code.storage-name=oauthCodesCache
cas.authn.oauth.code.time-to-kill-in-seconds=30

cas.authn.oauth.access-token.crypto.enabled=false
cas.authn.oauth.access-token.crypto.signing-enabled=false
cas.authn.oauth.access-token.crypto.encryption-enabled=false

======================================================

2022-04-28 22:11:58,625 ERROR [org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController] - <Access token request is not supported>
java.lang.UnsupportedOperationException: Access token request is not supported
at org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController.lambda$verifyAccessTokenRequest$2(OAuth20AccessTokenEndpointController.java:187) ~[cas-server-support-oauth-core-api-6.5.3.jar!/:6.5.3]

2022-04-28 22:11:58,625 ERROR [org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController] - <Access token request is not supported> java.lang.UnsupportedOperationException: Access token request is not supported at org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController.lambda$verifyAccessTokenRequest$2(OAuth20AccessTokenEndpointController.java:187) ~[cas-server-support-oauth-core-api-6.5.3.jar!/:6.5.3]

Palmurugan

@palmuruganchandran

{
"grant_type": "authorization_code",
"client_id": "clientid",
"client_secret": "clientSecret",
"code": "OC-1-2hshFPar2So9iu91ke504xq69vK-5MzQ",
"redirect_uri": "https://cas-client.com/intermediate"
}

https://cas.example.org:8443/cas/oauth2.0/accessToken

This is the request information

POST call

Robin Dupret

@rdupret_gitlab

Hello everyone,

I'm struggling to set up CAS proxy for an application.

IIUC, the pgtUrl passed is called by the CAS server and should provide the pgtId and pgtIou parameters. The URL is properly called but neither param is passed.

I'm running CAS version 4 and my application is allowed to be a proxy in the CAS management application.

Can anyone help me please ?

1 reply

@jnbdz

Hi all!
I am new to CAS I am having some issues.
I posted a question on Stackoverflow: https://stackoverflow.com/questions/72131500/unable-to-use-default-username-password-and-make-jsonresourcepassword-json-work

I am trying to follow the tutorial of: https://www.baeldung.com/spring-security-cas-sso

But it seems a bit out of date.

Does anyone have a few minutes to help me out?

Thank you!

2 replies

Dhanesh Kumar

@dhanesh238

Hi all

I am using CAS 6.4.6 version. Have noticed that the authentication process is getting called twice because of which it is taking longer time compared to the behaviour in 6.3.x version.

On checking the code, noticed that from DefaultRestAuthenticationService.java, it is calling handleInitialAuthenticationTransaction( ) method twice once directly and other via finalizeAuthenticationTransaction( ).

Can you let us know if it is expected behaviour or an issue?

2 replies

ohinckel

@ohinckel

Hi, we configured some services required MFA when authenticate against these services. While this works for CAS applications, it doesn't work for SAML application. In this case MFA is not triggered when the user authenticates earlier against a non-MFA application. Even when logging in without a service/application (which does not trigger MFA at all) and then logging into a MFA application, MFA is not triggered and user is directly redirected back to the application. We're using CAS 6.3.6 - this this intended behavior?

5 replies

The log shows an authentication or services is required, but not available in the case of SAML applications:

[org.apereo.cas.authentication.mfa.trigger.RegisteredServiceMultifactorAuthenticationTrigger] - No service or authentication is available to determine event for principal

mwbi

@mwbi

Hey, can someone point me to a solution to solve this problem :

2022-05-18 16:30:15,542 ERROR [org.springframework.boot.SpringApplication] - <Application run failed>
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'casWebflowExecutionPlan' defined in class path resource [org/apereo/cas/web/flow/config/CasWebflowContextConfiguration$CasWebflowExecutionConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.apereo.cas.web.flow.CasWebflowExecutionPlan]: Factory method 'casWebflowExecutionPlan' threw exception; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'authenticationThrottlingExecutionPlan' defined in class path resource [org/apereo/cas/config/CasThrottlingConfiguration$CasThrottlingPlanExecutionConfiguration.class]: Unsatisfied dependency expressed through method 'authenticationThrottlingExecutionPlan' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'authenticationThrottlingExecutionPlanConfigurer' defined in class path resource [org/apereo/cas/config/CasThrottlingConfiguration$CasThrottlingPlanConfiguration.class]: Unsatisfied dependency expressed through method 'authenticationThrottlingExecutionPlanConfigurer' parameter 1; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'authenticationThrottle' defined in class path resource [org/apereo/cas/config/CasThrottlingConfiguration$CasThrottlingInterceptorConfiguration.class]: Unsatisfied dependency expressed through method 'authenticationThrottle' parameter 1; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'authenticationThrottlingConfigurationContext' defined in class path resource [org/apereo/cas/config/CasThrottlingConfiguration$CasThrottlingContextConfiguration.class]: Unsatisfied dependency expressed through method 'authenticationThrottlingConfigurationContext' parameter 4; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'throttledRequestExecutor' defined in class path resource [org/apereo/cas/config/CasBucket4jThrottlingConfiguration.class]: Unsatisfied dependency expressed through method 'throttledRequestExecutor' parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'bucket4jThrottledRequestConsumer' defined in class path resource [org/apereo/cas/config/CasBucket4jThrottlingConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.apereo.cas.bucket4j.consumer.BucketConsumer]: Factory method 'bucket4jThrottledRequestConsumer' threw exception; nested exception is java.lang.IllegalArgumentException: At list one limited bandwidth should be specified
at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:658) ~[spring-beans-5.3.19.jar:5.3.19]
at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:638) ~[spring-beans-5.3.19.jar:5.3.19]

is there a sample configuration for cas.properties

mwbi

@mwbi

what is the correct setting for cas.authn.throttle.bucket4j.bandwidth=

stourwalk-work

@stourwalk-work

Has anyone been able to enable CORS successfully for the actuator endpoints (info/health/metrics etc). The documentation describes how to do it, but nothing seems to make it work (and I can't even find where in the code it attempts to enable it for those endpoints)

We're using 6.5 (but had the same problem with 6.4 fwiw)

Alizee-Me

@Alizee-Me

Hello, I'm trying to implement the validation of user by using a rest API, everything seems to working well, and the test was working well in 6.3, but now I've upgrade the version of apereo to 6.5.4 and the authentication is't not working anymore, there is this message in the console :
2022-05-19 09:14:45,946 ERROR [org.apereo.cas.adaptors.rest.RestAuthenticationHandler] - <Could not resolve subtype of [map type; class java.util.Map, [simple type, class java.lang.String] -> [collection type; class jav a.util.List, contains [simple type, class java.lang.Object]]]: missing type id property '@class' (for POJO property 'attributes') cas-portal | at [Source: (String)"{"@class":"org.apereo.cas.authentication.principal.SimplePrincipal","id":"casuser","attributes":{}}"; line: 1, column: 98] (through reference chain: org.apereo.cas.authentication.principal.SimplePrincipal["attributes"])>
Did anybody have an idea to fix this issue ?
Thanks :)

If needed here is my simple code to test the rest authentication :
$test = '{"@class":"org.apereo.cas.authentication.principal.SimplePrincipal","id":"casuser","attributes":{}}'; return new JsonResponse($test, 200, array('Content-Type' => 'application/json'), true);

Palmurugan

@palmuruganchandran

Hi is there any way to check the active users in the mongoDB authentication. I am using CAS 6.4.3

vbryandc

@vbryandc

Hello, does anyone have a detailed manual on how to start CAS in my local environment?

3 replies

Alizee-Me

@Alizee-Me

Hello, I'm trying to implement the validation of user by using a rest API, everything seems to working well, and the test was working well in 6.3, but now I've upgrade the version of apereo to 6.5.4 and the authentication is't not working anymore, there is this message in the console :
2022-05-19 09:14:45,946 ERROR [org.apereo.cas.adaptors.rest.RestAuthenticationHandler] - <Could not resolve subtype of [map type; class java.util.Map, [simple type, class java.lang.String] -> [collection type; class jav a.util.List, contains [simple type, class java.lang.Object]]]: missing type id property '@class' (for POJO property 'attributes') cas-portal | at [Source: (String)"{"@class":"org.apereo.cas.authentication.principal.SimplePrincipal","id":"casuser","attributes":{}}"; line: 1, column: 98] (through reference chain: org.apereo.cas.authentication.principal.SimplePrincipal["attributes"])>
Did anybody have an idea to fix this issue ?
Thanks :)
If needed here is my simple code to test the rest authentication :
$test = '{"@class":"org.apereo.cas.authentication.principal.SimplePrincipal","id":"casuser","attributes":{}}'; return new JsonResponse($test, 200, array('Content-Type' => 'application/json'), true);

I've found the solution, I removed ","attributes":{}" from my response and It's working now.
PS: I've followed this doc https://apereo.github.io/cas/6.5.x/authentication/Rest-Authentication.html and I didn't notice that an empty attributes will make it failed ^^'
PS2: The search bar of 6.5 version is only broken for me ?

Thanks ;)

vbryandc

@vbryandc

Can someone help me with this error:
>
2022-05-19 14:48:35,685 DEBUG [org.springframework.security.web.FilterChainProxy] - <Securing GET /oidc/accessToken?grant_type=client_credentials&client_id=client&client_secret=secret&scope=profile+app>
2022-05-19 14:48:35,685 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] - <Set SecurityContextHolder to empty SecurityContext>
2022-05-19 14:48:35,685 DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] - <Set SecurityContextHolder to anonymous SecurityContext>
2022-05-19 14:48:35,685 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] - <Authorized public object filter invocation [GET /oidc/accessToken?grant_type=client_credentials&client_id=client&client_secret=secret&scope=profile+app]>
2022-05-19 14:48:35,685 DEBUG [org.springframework.security.web.FilterChainProxy] - <Secured GET /oidc/accessToken?grant_type=client_credentials&client_id=client&client_secret=secret&scope=profile+app>
2022-05-19 14:48:35,687 DEBUG [org.apereo.cas.support.oauth.validator.token.BaseOAuth20TokenRequestValidator] - <Grant type received: [client_credentials]>
2022-05-19 14:48:35,687 WARN [org.apereo.cas.support.oauth.validator.token.BaseOAuth20TokenRequestValidator] - <Could not locate authenticated profile for this request. Request is not authenticated>
2022-05-19 14:48:35,687 ERROR [org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController] - <Access token validation failed>
2022-05-19 14:48:35,688 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - <Did not store anonymous SecurityContext>
2022-05-19 14:48:35,689 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - <Did not store anonymous SecurityContext>
2022-05-19 14:48:35,689 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] - <Cleared SecurityContextHolder to complete request>

#########################################33

Testing from postman shows me this:
URL: https://localhost:8443/cas/oidc/accessToken?grant_type=client_credentials&client_id=client&client_secret=secret&scope=profile+app

{

"error": "invalid_grant"

}

Munachy29

@Munachy29

hi everyone

mwbi

@mwbi

Has someone an working example cas.properties with cas.authn.throttle.bucket4j.bandwidth as Parameter ?

manoharKola

@manoharKola

Hi Everyone,
can you provide details about how to register Mobile Client for Openid Connect setup?

Łukasz

@lgwozniak

Hello, is it possible too use OAuth 2.0, method client credentials with authorization on fields clientId, clientSecret based on Active Directory ?

too not have static clientId, clientSecret

lshc

@lshc666

@lgwozniak @mmoayyed

Hi, we configured some services required MFA when authenticate against these services. While this works for CAS applications, it doesn't work for SAML application. In this case MFA is not triggered when the user authenticates earlier against a non-MFA application. Even when logging in without a service/application (which does not trigger MFA at all) and then logging into a MFA application, MFA is not triggered and user is directly redirected back to the application. We're using CAS 6.3.6 - this this intended behavior?

Can you help us look at this problem? I think this is a security risk.

Łukasz

@lgwozniak

I don't have a clue ;) Is Your MFA is globally turn on ? Or only on one service ?

1 reply

manoharKola

@manoharKola

OIDC is working fine for web application , but not in Mobile.
Is there any different process for Mobile Setup?

mkunal

@mkunal:matrix.org

[m]

Hi Team... can anyone please help me to integrate AZURE Active Directory as an external identity provider through cas...

currently i am using google as an external identity provider through CAS for my spring boot application

i am following cas documentation.. added gradle dependency for cas-azuread-server-support with cas 6.5 version

but it could not help.. i am not getting any plugin(AAD button ) in my cas login page

Ivanlee818

@Ivanlee818

Hi all, could anyone please share a detailed sample of configuring procedures of delegation external OAuth2.0?

I’m trying to configure CAS 6.5 delegation OAuth 2.0, get error:
Authentication response provided to CAS by the external identity provider cannot be accepted.

error in log:

Ivanlee818

@Ivanlee818

[2022-05-26 20:33:27] [info] #033[32m2022-05-26 20:33:27,073 INFO [org.apereo.cas.web.flow.DelegatedClientAuthenticationAction] - <Credentials are successfully authenticated using the delegated client [WorkWeChat]>#033[m
[2022-05-26 20:33:27] [info] #033[1;31m2022-05-26 20:33:27,480 ERROR [org.apereo.cas.authentication.DefaultAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [ClientCredential(credentials=#OAuth20Credentials# | code: hzouYQZ_x085r8B8x3Z4kDSyUP3AmJJVatw8uxFqGVI | accessToken: com.github.scribejava.core.model.OAuth2AccessToken@b65fb8bc |, clientName=WorkWeChat, typedIdUsed=true, userProfile=null)] of type [ClientCredential]. Examine the configuration to ensure a method of authentication is defined and analyze CAS logs at DEBUG level to trace the authentication event.>#033[m
[2022-05-26 20:33:27] [info] #033[1;31m2022-05-26 20:33:27,481 ERROR [org.apereo.cas.authentication.DefaultAuthenticationManager] - <[DelegatedClientAuthenticationHandler]: [org.pac4j.core.exception.TechnicalException: id cannot be blank / id cannot be blank]>#033[m

Łukasz

@lgwozniak

Hello, We are using Dynamic Delegation in 6.5. And there is a possibility to add parameter request to Delegated authentication ?

For example Office365, have a parameter login_hint. And with this parameter request delegation as login

Łukasz

@lgwozniak

Any one have a problem on version 6.5.5 with Cookie locale. We i redirect to /login?client_name=Office365 i getting 2 set-Cookie

Set-Cookie: org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=pl-PL; Max-Age=2147483647; Expires=Mon, 26-Jun-2090 11:36:24 GMT; Path=/; Secure; HttpOnly
Set-Cookie: org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=und; Max-Age=2147483647; Expires=Mon, 26-Jun-2090 11:36:24 GMT; Path=/; Secure; HttpOnly

A Nomad

@a.nomad_gitlab

Hi, I install Apereo CAS and can't use self registration. I don't need SMS just only email but I haven't found how complitly disable SMS.

[33m2022-06-08 15:10:49,598 WARN [org.apereo.cas.notifications.DefaultCommunicationsManager] - <Could not send SMS to [+1 123 123 1231] because either no from/text is found or SMS settings are not configured.>[m

Lars Grefer

@larsgrefer

@Alizee-Me

Hello, I'm trying to implement the validation of user by using a rest API, everything seems to working well, and the test was working well in 6.3, but now I've upgrade the version of apereo to 6.5.4 and the authentication is't not working anymore, there is this message in the console :
2022-05-19 09:14:45,946 ERROR [org.apereo.cas.adaptors.rest.RestAuthenticationHandler] - <Could not resolve subtype of [map type; class java.util.Map, [simple type, class java.lang.String] -> [collection type; class jav a.util.List, contains [simple type, class java.lang.Object]]]: missing type id property '@class' (for POJO property 'attributes') cas-portal | at [Source: (String)"{"@class":"org.apereo.cas.authentication.principal.SimplePrincipal","id":"casuser","attributes":{}}"; line: 1, column: 98] (through reference chain: org.apereo.cas.authentication.principal.SimplePrincipal["attributes"])>
Did anybody have an idea to fix this issue ?
Thanks :)
If needed here is my simple code to test the rest authentication :
$test = '{"@class":"org.apereo.cas.authentication.principal.SimplePrincipal","id":"casuser","attributes":{}}'; return new JsonResponse($test, 200, array('Content-Type' => 'application/json'), true);

I've found the solution, I removed ","attributes":{}" from my response and It's working now.
PS: I've followed this doc https://apereo.github.io/cas/6.5.x/authentication/Rest-Authentication.html and I didn't notice that an empty attributes will make it failed ^^'
PS2: The search bar of 6.5 version is only broken for me ?
Thanks ;)

I have the same problem. Why was the expected JSON-Format changed from 6.3 to 6.5?

1 reply

Néjwàa K

@nejwa:matrix.org

[m]

Hello, does anyone know what i have to do to solve this ??? i always get this page that says that The application you attempted to authenticate to is not authorized to use CAS. This usually indicates that the application is not registered with CAS, or its authorization policy defined in its registration record prevents it from leveraging CAS functionality, or it's malformed and unrecognized by CAS.

5 replies

CAS.PNG

Baba Ndiaye

@mrbabandiaye_twitter

Hello guys
I'm using Haproxy (public IP) and moodle for my backend (private IP). Now it's work nice. But when i use CAS SSO for the authentication in my url service i have the address of my backend moodle and not my frontend like this https://mycas.example.com/cas/login?service=https%3A%2F%2Fmymoodleinterne.mydomainlocal.com%2Flogin%2Findex.php%3FauthCAS%3DCAS
my frontend url adress myhaproxy.example.com
my moodle url address mymoodleinterne.mydomainlocal.com
i want if that my CAS use myhaproxy url and not mymoodleinterne

mancheaka

@mancheaka

Hello, I'm trying to get a configuration server overlay to read properties from AWS SSM. However, I'm getting an error as soon as I add the dependency on cas-server-support-configuration-cloud-aws-ssm . I have my AWS creds/etc in application.yml and the trace messages indicate that it's connecting and reading them successfully. The error I get is this:
'<==2022-06-16 13:44:52,223 INFO [org.springframework.boot.web.embedded.tomcat.TomcatWebServer] - <Tomcat started on port(s): 8888 (https) with context path '/casconfigserver'>
<==2022-06-16 13:44:53,007 TRACE [org.apereo.cas.rest.config.CasCoreRestConfiguration] - <building REST credential factory from [[org.apereo.cas.rest.config.CasCoreRestConfiguration$CasCoreRestCredentialFactoryPlanConfiguration$$Lambda$2003/0x0000000800aa5440@4f6fd101]]>
2022-06-16 13:44:53,007 TRACE [org.apereo.cas.rest.config.CasCoreRestConfiguration] - <Configuring credential factory: [org.apereo.cas.rest.config.CasCoreRestConfiguration$CasCoreRestCredentialFactoryPlanConfiguration$$Lambda$2003/0x0000000800aa5440@4f6fd101]>
2022-06-16 13:44:53,013 WARN [org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext] - <Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'restAuthenticationService' defined in class path resource [org/apereo/cas/rest/config/CasCoreRestConfiguration$CasCoreRestAuthenticationConfiguration.class]: Unsatisfied dependency expressed through method 'restAuthenticationService' parameter 1; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type 'org.apereo.cas.authentication.MultifactorAuthenticationTriggerSelectionStrategy' available: expected at least 1 bean which qualifies as autowire candidate. Dependency annotations: {@org.springframework.beans.factory.annotation.Qualifier(value="defaultMultifactorTriggerSelectionStrategy")}>'

Can anyone tell me what I'm missing here?

1 reply

DjokerR

@DjokerR

cas-mangement 5.3.1 start failed 2022-06-17 09:19:57,016 ERROR [org.springframework.boot.diagnostics.LoggingFailureAnalysisReporter] - <

APPLICATION FAILED TO START

Description:

Field personDirectoryPrincipalResolver in org.apereo.cas.adaptors.jdbc.config.CasJdbcAuthenticationConfiguration required a bean of type 'org.apereo.cas.authentication.principal.PrincipalResolver' that could not be found.

Action:

Consider defining a bean of type 'org.apereo.cas.authentication.principal.PrincipalResolver' in your configuration.
>

Can anyone tell me what I'm missing here? about PersonDirectoryPrincipalResolver

Where communities thrive

People

Repo info

Activity

============= OAuth ==================================

======================================================

#########################################33