Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Aug 11 11:08

    mmoayyed on master

    support ldap throttling support expiration window for l… upgrade dependencies (compare)

  • Aug 10 04:16
    mmoayyed closed #5501
  • Aug 10 04:16

    mmoayyed on 6.5.x

    Handle multi use token for rese… (compare)

  • Aug 10 03:44

    mmoayyed on master

    fix build failures fix tests (compare)

  • Aug 10 03:38
    apereocas-bot labeled #5501
  • Aug 10 03:38
    apereocas-bot unlabeled #5501
  • Aug 10 03:38
    apereocas-bot commented #5501
  • Aug 10 03:38
    mmoayyed commented #5501
  • Aug 09 14:42
    CLAassistant commented #5501
  • Aug 09 14:42
    apereocas-bot labeled #5501
  • Aug 09 14:42
    apereocas-bot labeled #5501
  • Aug 09 14:42
    apereocas-bot labeled #5501
  • Aug 09 14:42
    apereocas-bot milestoned #5501
  • Aug 09 14:42
    apereocas-bot labeled #5501
  • Aug 09 14:42
    apereocas-bot labeled #5501
  • Aug 09 14:42
    leleuj opened #5501
  • Aug 09 09:18

    mmoayyed on master

    Handle multi use token for rese… (compare)

  • Aug 09 09:18
    mmoayyed closed #5499
  • Aug 09 09:18
    codecov[bot] commented #5499
  • Aug 09 09:18
    codecov[bot] commented #5499
Palmurugan
@palmuruganchandran
Hi is there any way to check the active users in the mongoDB authentication. I am using CAS 6.4.3
vbryandc
@vbryandc
Hello, does anyone have a detailed manual on how to start CAS in my local environment?
3 replies
Alizee-Me
@Alizee-Me

Hello, I'm trying to implement the validation of user by using a rest API, everything seems to working well, and the test was working well in 6.3, but now I've upgrade the version of apereo to 6.5.4 and the authentication is't not working anymore, there is this message in the console :
2022-05-19 09:14:45,946 ERROR [org.apereo.cas.adaptors.rest.RestAuthenticationHandler] - <Could not resolve subtype of [map type; class java.util.Map, [simple type, class java.lang.String] -> [collection type; class jav a.util.List, contains [simple type, class java.lang.Object]]]: missing type id property '@class' (for POJO property 'attributes') cas-portal | at [Source: (String)"{"@class":"org.apereo.cas.authentication.principal.SimplePrincipal","id":"casuser","attributes":{}}"; line: 1, column: 98] (through reference chain: org.apereo.cas.authentication.principal.SimplePrincipal["attributes"])>
Did anybody have an idea to fix this issue ?
Thanks :)

If needed here is my simple code to test the rest authentication :
$test = '{"@class":"org.apereo.cas.authentication.principal.SimplePrincipal","id":"casuser","attributes":{}}'; return new JsonResponse($test, 200, array('Content-Type' => 'application/json'), true);

I've found the solution, I removed ","attributes":{}" from my response and It's working now.
PS: I've followed this doc https://apereo.github.io/cas/6.5.x/authentication/Rest-Authentication.html and I didn't notice that an empty attributes will make it failed ^^'
PS2: The search bar of 6.5 version is only broken for me ?

Thanks ;)

vbryandc
@vbryandc

Can someone help me with this error:
>
2022-05-19 14:48:35,685 DEBUG [org.springframework.security.web.FilterChainProxy] - <Securing GET /oidc/accessToken?grant_type=client_credentials&client_id=client&client_secret=secret&scope=profile+app>
2022-05-19 14:48:35,685 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] - <Set SecurityContextHolder to empty SecurityContext>
2022-05-19 14:48:35,685 DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] - <Set SecurityContextHolder to anonymous SecurityContext>
2022-05-19 14:48:35,685 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] - <Authorized public object filter invocation [GET /oidc/accessToken?grant_type=client_credentials&client_id=client&client_secret=secret&scope=profile+app]>
2022-05-19 14:48:35,685 DEBUG [org.springframework.security.web.FilterChainProxy] - <Secured GET /oidc/accessToken?grant_type=client_credentials&client_id=client&client_secret=secret&scope=profile+app>
2022-05-19 14:48:35,687 DEBUG [org.apereo.cas.support.oauth.validator.token.BaseOAuth20TokenRequestValidator] - <Grant type received: [client_credentials]>
2022-05-19 14:48:35,687 WARN [org.apereo.cas.support.oauth.validator.token.BaseOAuth20TokenRequestValidator] - <Could not locate authenticated profile for this request. Request is not authenticated>
2022-05-19 14:48:35,687 ERROR [org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController] - <Access token validation failed>
2022-05-19 14:48:35,688 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - <Did not store anonymous SecurityContext>
2022-05-19 14:48:35,689 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - <Did not store anonymous SecurityContext>
2022-05-19 14:48:35,689 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] - <Cleared SecurityContextHolder to complete request>

#########################################33

Testing from postman shows me this:
URL: https://localhost:8443/cas/oidc/accessToken?grant_type=client_credentials&client_id=client&client_secret=secret&scope=profile+app

{

"error": "invalid_grant"

}

Munachy29
@Munachy29
hi everyone
mwbi
@mwbi
Has someone an working example cas.properties with cas.authn.throttle.bucket4j.bandwidth as Parameter ?
manoharKola
@manoharKola
Hi Everyone,
can you provide details about how to register Mobile Client for Openid Connect setup?
Łukasz
@lgwozniak
Hello, is it possible too use OAuth 2.0, method client credentials with authorization on fields clientId, clientSecret based on Active Directory ?
too not have static clientId, clientSecret
lshc
@lshc666

@lgwozniak @mmoayyed

Hi, we configured some services required MFA when authenticate against these services. While this works for CAS applications, it doesn't work for SAML application. In this case MFA is not triggered when the user authenticates earlier against a non-MFA application. Even when logging in without a service/application (which does not trigger MFA at all) and then logging into a MFA application, MFA is not triggered and user is directly redirected back to the application. We're using CAS 6.3.6 - this this intended behavior?

Can you help us look at this problem? I think this is a security risk.

Łukasz
@lgwozniak
I don't have a clue ;) Is Your MFA is globally turn on ? Or only on one service ?
1 reply
manoharKola
@manoharKola

Screenshot 2022-05-24 at 1.48.34 PM.png

OIDC is working fine for web application , but not in Mobile.
Is there any different process for Mobile Setup?

mkunal
@mkunal:matrix.org
[m]
Hi Team... can anyone please help me to integrate AZURE Active Directory as an external identity provider through cas...
currently i am using google as an external identity provider through CAS for my spring boot application
i am following cas documentation.. added gradle dependency for cas-azuread-server-support with cas 6.5 version
but it could not help.. i am not getting any plugin(AAD button ) in my cas login page
Ivanlee818
@Ivanlee818
Hi all, could anyone please share a detailed sample of configuring procedures of delegation external OAuth2.0?
I’m trying to configure CAS 6.5 delegation OAuth 2.0, get error:
Authentication response provided to CAS by the external identity provider cannot be accepted.
error in log:
Ivanlee818
@Ivanlee818
[2022-05-26 20:33:27] [info] #033[32m2022-05-26 20:33:27,073 INFO [org.apereo.cas.web.flow.DelegatedClientAuthenticationAction] - <Credentials are successfully authenticated using the delegated client [WorkWeChat]>#033[m
[2022-05-26 20:33:27] [info] #033[1;31m2022-05-26 20:33:27,480 ERROR [org.apereo.cas.authentication.DefaultAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [ClientCredential(credentials=#OAuth20Credentials# | code: hzouYQZ_x085r8B8x3Z4kDSyUP3AmJJVatw8uxFqGVI | accessToken: com.github.scribejava.core.model.OAuth2AccessToken@b65fb8bc |, clientName=WorkWeChat, typedIdUsed=true, userProfile=null)] of type [ClientCredential]. Examine the configuration to ensure a method of authentication is defined and analyze CAS logs at DEBUG level to trace the authentication event.>#033[m
[2022-05-26 20:33:27] [info] #033[1;31m2022-05-26 20:33:27,481 ERROR [org.apereo.cas.authentication.DefaultAuthenticationManager] - <[DelegatedClientAuthenticationHandler]: [org.pac4j.core.exception.TechnicalException: id cannot be blank / id cannot be blank]>#033[m
Łukasz
@lgwozniak
Hello, We are using Dynamic Delegation in 6.5. And there is a possibility to add parameter request to Delegated authentication ?
For example Office365, have a parameter login_hint. And with this parameter request delegation as login
Łukasz
@lgwozniak
Any one have a problem on version 6.5.5 with Cookie locale. We i redirect to /login?client_name=Office365 i getting 2 set-Cookie
Set-Cookie: org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=pl-PL; Max-Age=2147483647; Expires=Mon, 26-Jun-2090 11:36:24 GMT; Path=/; Secure; HttpOnly
Set-Cookie: org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=und; Max-Age=2147483647; Expires=Mon, 26-Jun-2090 11:36:24 GMT; Path=/; Secure; HttpOnly
A Nomad
@a.nomad_gitlab

Hi, I install Apereo CAS and can't use self registration. I don't need SMS just only email but I haven't found how complitly disable SMS.

2022-06-08 15:10:49,598 WARN [org.apereo.cas.notifications.DefaultCommunicationsManager] - <Could not send SMS to [+1 123 123 1231] because either no from/text is found or SMS settings are not configured.>

Lars Grefer
@larsgrefer

@Alizee-Me

Hello, I'm trying to implement the validation of user by using a rest API, everything seems to working well, and the test was working well in 6.3, but now I've upgrade the version of apereo to 6.5.4 and the authentication is't not working anymore, there is this message in the console :
2022-05-19 09:14:45,946 ERROR [org.apereo.cas.adaptors.rest.RestAuthenticationHandler] - <Could not resolve subtype of [map type; class java.util.Map, [simple type, class java.lang.String] -> [collection type; class jav a.util.List, contains [simple type, class java.lang.Object]]]: missing type id property '@class' (for POJO property 'attributes') cas-portal | at [Source: (String)"{"@class":"org.apereo.cas.authentication.principal.SimplePrincipal","id":"casuser","attributes":{}}"; line: 1, column: 98] (through reference chain: org.apereo.cas.authentication.principal.SimplePrincipal["attributes"])>
Did anybody have an idea to fix this issue ?
Thanks :)

If needed here is my simple code to test the rest authentication :
$test = '{"@class":"org.apereo.cas.authentication.principal.SimplePrincipal","id":"casuser","attributes":{}}'; return new JsonResponse($test, 200, array('Content-Type' => 'application/json'), true);

I've found the solution, I removed ","attributes":{}" from my response and It's working now.
PS: I've followed this doc https://apereo.github.io/cas/6.5.x/authentication/Rest-Authentication.html and I didn't notice that an empty attributes will make it failed ^^'
PS2: The search bar of 6.5 version is only broken for me ?

Thanks ;)

I have the same problem. Why was the expected JSON-Format changed from 6.3 to 6.5?

1 reply
Néjwàa K
@nejwa:matrix.org
[m]
Hello, does anyone know what i have to do to solve this ??? i always get this page that says that The application you attempted to authenticate to is not authorized to use CAS. This usually indicates that the application is not registered with CAS, or its authorization policy defined in its registration record prevents it from leveraging CAS functionality, or it's malformed and unrecognized by CAS.
5 replies
Baba Ndiaye
@mrbabandiaye_twitter
Hello guys
I'm using Haproxy (public IP) and moodle for my backend (private IP). Now it's work nice. But when i use CAS SSO for the authentication in my url service i have the address of my backend moodle and not my frontend like this https://mycas.example.com/cas/login?service=https%3A%2F%2Fmymoodleinterne.mydomainlocal.com%2Flogin%2Findex.php%3FauthCAS%3DCAS
my frontend url adress myhaproxy.example.com
my moodle url address mymoodleinterne.mydomainlocal.com
i want if that my CAS use myhaproxy url and not mymoodleinterne
mancheaka
@mancheaka

Hello, I'm trying to get a configuration server overlay to read properties from AWS SSM. However, I'm getting an error as soon as I add the dependency on cas-server-support-configuration-cloud-aws-ssm . I have my AWS creds/etc in application.yml and the trace messages indicate that it's connecting and reading them successfully. The error I get is this:
'<==2022-06-16 13:44:52,223 INFO [org.springframework.boot.web.embedded.tomcat.TomcatWebServer] - <Tomcat started on port(s): 8888 (https) with context path '/casconfigserver'>
<==2022-06-16 13:44:53,007 TRACE [org.apereo.cas.rest.config.CasCoreRestConfiguration] - <building REST credential factory from [[org.apereo.cas.rest.config.CasCoreRestConfiguration$CasCoreRestCredentialFactoryPlanConfiguration$$Lambda$2003/0x0000000800aa5440@4f6fd101]]>
2022-06-16 13:44:53,007 TRACE [org.apereo.cas.rest.config.CasCoreRestConfiguration] - <Configuring credential factory: [org.apereo.cas.rest.config.CasCoreRestConfiguration$CasCoreRestCredentialFactoryPlanConfiguration$$Lambda$2003/0x0000000800aa5440@4f6fd101]>
2022-06-16 13:44:53,013 WARN [org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext] - <Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'restAuthenticationService' defined in class path resource [org/apereo/cas/rest/config/CasCoreRestConfiguration$CasCoreRestAuthenticationConfiguration.class]: Unsatisfied dependency expressed through method 'restAuthenticationService' parameter 1; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type 'org.apereo.cas.authentication.MultifactorAuthenticationTriggerSelectionStrategy' available: expected at least 1 bean which qualifies as autowire candidate. Dependency annotations: {@org.springframework.beans.factory.annotation.Qualifier(value="defaultMultifactorTriggerSelectionStrategy")}>'

Can anyone tell me what I'm missing here?

1 reply
DjokerR
@DjokerR

cas-mangement 5.3.1 start failed 2022-06-17 09:19:57,016 ERROR [org.springframework.boot.diagnostics.LoggingFailureAnalysisReporter] - <


APPLICATION FAILED TO START


Description:

Field personDirectoryPrincipalResolver in org.apereo.cas.adaptors.jdbc.config.CasJdbcAuthenticationConfiguration required a bean of type 'org.apereo.cas.authentication.principal.PrincipalResolver' that could not be found.

Action:

Consider defining a bean of type 'org.apereo.cas.authentication.principal.PrincipalResolver' in your configuration.
>

Can anyone tell me what I'm missing here? about PersonDirectoryPrincipalResolver
Matt Benson
@mbenson
hi everyone, when using the CAS Maven overlay, CAS builds, as is well-known, a self-contained WAR archive. Is there a well-understood mechanism for using the jib Maven plugin to create a container image that runs such a WAR using its embedded servlet engine? I can easily build such an image using the spotify dockerfile plugin (actually its successor maintained by Jason Van Zyl), but I am exploring alternatives.
Palmurugan
@palmuruganchandran
CAS 6.5.X While I am trying to logout with service parameter, I am getting the below error. Can anyone please help me?
2022-06-21 17:42:27,060 ERROR [org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter] - <Service unauthorized>
org.apereo.cas.services.UnauthorizedServiceException: Service unauthorized
at org.apereo.cas.services.RegisteredServiceAccessStrategyAuditableEnforcer.lambda$execute$6(RegisteredServiceAccessStrategyAuditableEnforcer.java:194) ~[cas-server-core-services-api-6.5.2.jar!/:6.5.2]
at java.util.Optional.orElseGet(Optional.java:364) ~[?:?]
Robin Dupret
@rdupret_gitlab

Hello,

I would like to define the expiration of trusted devices but I can't manage to find the settings to do so.

There used to be cas.authn.mfa.trusted.expiration but it looks like it has been removed in apereo/cas@a4c49ab

However, I don't understand by which settings the above has been replaced. Can anyone help me please ?

1 reply
Juliusz Marciniak
@rechandler12

Hello,
I've got problem with OAuth2 login, when i set in service:

"jwtAccessToken": true

Here's an error:

[1;31m2022-06-27 09:27:09,369 ERROR [org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController] - <Invalid or unauthorized grant>
java.lang.ClassCastException: Cannot cast org.apereo.cas.support.oauth.services.OAuthRegisteredService to org.apereo.cas.services.OidcRegisteredService
at java.lang.Class.cast(Unknown Source) ~[?:?]
at org.apereo.cas.oidc.token.OidcRegisteredServiceJwtAccessTokenCipherExecutor.getSigningKey(OidcRegisteredServiceJwtAccessTokenCipherExecutor.java:67) ~[cas-server-support-oidc-core-api-6.5.4.jar!/:6.5.4]
at org.apereo.cas.token.cipher.RegisteredServiceJwtTicketCipherExecutor.supports(RegisteredServiceJwtTicketCipherExecutor.java:58) ~[cas-server-support-token-core-api-6.5.4.jar!/:6.5.4]
at org.apereo.cas.token.JwtBuilder.build(JwtBuilder.java:154) ~[cas-server-support-token-core-api-6.5.4.jar!/:6.5.4]
at org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20JwtAccessTokenEncoder.encode(OAuth20JwtAccessTokenEncoder.java:55) ~[cas-server-support-oauth-core-api-6.5.4.jar!/:6.5.4]
at org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20DefaultAccessTokenResponseGenerator.encodeAccessToken(OAuth20DefaultAccessTokenResponseGenerator.java:134) ~[cas-server-support-oauth-core-api-6.5.4.jar!/:6.5.4]
at org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20DefaultAccessTokenResponseGenerator.lambda$getAccessTokenResponseModel$2(OAuth20DefaultAccessTokenResponseGenerator.java:116) ~[cas-server-support-oauth-core-api-6.5.4.jar!/:6.5.4]
at java.util.Optional.ifPresent(Unknown Source) ~[?:?]
at org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20DefaultAccessTokenResponseGenerator.getAccessTokenResponseModel(OAuth20DefaultAccessTokenResponseGenerator.java:115) ~[cas-server-support-oauth-core-api-6.5.4.jar!/:6.5.4]
at org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20DefaultAccessTokenResponseGenerator.generateResponseForAccessToken(OAuth20DefaultAccessTokenResponseGenerator.java:102) ~[cas-server-support-oauth-core-api-6.5.4.jar!/:6.5.4]
at org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20DefaultAccessTokenResponseGenerator.generate(OAuth20DefaultAccessTokenResponseGenerator.java:59) ~[cas-server-support-oauth-core-api-6.5.4.jar!/:6.5.4]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
at java.lang.reflect.Method.invoke(Unknown Source) ~[?:?]
cctgteddy
@cctgteddy
Hi, I'm trying to add a third party to authenticate to my CAS instance. They have only provided me with the following entries: Entity ID, IDP Initiated Assertion Consumer Service URL, SP Initiated Assertion Consumer Service URL, eLearning Assertion Consumer Service URL, Relay State for IDP Initiated
How do I register them as a service with this info? They do not provide a metadata URL
chirag111shah
@chirag111shah

We have been using CAS for our applications' authentication with the regular "CAS Web flow".

One of our newer flows is doing a LoginWithoutTicket instead of credentials. So, in this flow

  1. User was sent to CAS with
    CAS_BASE_URL/loginWithoutTicket? _eventId=submit&username=@SSID@&password=@SSID@project@sessionToken&service=https://example.com/home
  2. My code picks up the sessionToken and does the login work. Upon successful login it redirects the user to https://example.com/home. This flow is working.
  3. In case the token was bad I need to redirect the url to a specific url and not show them the CAS login prompt.

Can someone please let me know if there is a way to do this? Any suggestions on how to achieve this would be much appreciated.

Maël BOEUF
@mael-boeuf
Hello everyone. I'm trying to get the current registered service name in a custom authentication handler. Is that possible ? If yes, how to implement it ? I use CAS 6.5.4. Thanks
ohinckel
@ohinckel
Hi, another problem we have with the management app 6.5.4 is, that it is still using default server cas.example.org:8443 instead of the cas.server.name provided in the management.yml file. Previous version works, but after upgrade the defaults are used. Somebody here which found this issue and knows a solution how to configure CAS authentication for management app?
1 reply
Robin Dupret
@rdupret_gitlab

Hello,

Excuse-me, I have a tiny question regarding MFA providers : why all of them have their order value defined as the rank provided in properties ? (e.g. https://github.com/apereo/cas/blob/6e29bc0001e3c304375efc5f8cbb04918d8f8691/support/cas-server-support-duo-core/src/main/java/org/apereo/cas/adaptors/duo/authn/DuoSecurityMultifactorAuthenticationProviderFactory.java#L58)

kindly ping @mmoayyed since you implemented MFA
alvinyue
@alvinyue
Hi all, How can I turn off CAS' Login prompt only for one of the webapps? Thank you!
1 reply
cctgteddy
@cctgteddy
What is the way to override theme files on 6.x? When I was building our 5.3 deployment several years ago I would run it under Tomcat which extracted the war file completely and I could edit the template files in there and see the changes right away. Once I was done I would take the modified files back to the overlay directory commit changes.
I'm not sure how to access the theme files now on this new one. I'm running it as an executable war file.
4 replies
ohinckel
@ohinckel
Still, (in CAS 6.5.4) it seems not possible to force MFA for a SAML application when user already have a SSO session without MFA. No MFA prompt will be shown, users can access the MFA SAML application without using MFA. Really looks like a security bug to me. Opinions?
2 replies
dlemp1
@dlemp1

Anyone using Spring Boot with CAS and able to get Single Sign Out to work? Our CAS is version 6.5, and I'm using spring-security-cas version 5.7.2.

I've been working on a Spring Boot app that uses CAS for SSO for days now. Single sign on works great! And I have a logout button within the app that works as well. The problem I'm running in to is Single Logout (SLO) does not work. Meaning when I log out of another application, SLO works everywhere except for this app. When I log out of this app, though, I am logged out of everything else. So it seems like this app here isn't listening for when an SSO session is ended.

1 reply
lshc
@lshc666

Still, (in CAS 6.5.4) it seems not possible to force MFA for a SAML application when user already have a SSO session without MFA. No MFA prompt will be shown, users can access the MFA SAML application without using MFA. Really looks like a security bug to me. Opinions?

@mmoayyed I had the same problem.

jiangying
@jiangying000
Hello all, is there an official Single Logout flow diagram in CAS doc? I can not find one now.
5 replies