Multifaktor authentcation with REST protocal in CAS 7.x
38 views
Skip to first unread message
Klaus-Dieter Krannich
Feb 13, 2025, 8:46:20 AM2/13/25
to CAS Community
In CAS 7.x multifactor authentication with Google Authenticator over REST protocal is broken.
To reproduce the problem, create an overlay-project with cas-server-support-generic, cas-server-support-rest, cas-server-support-gauth and cas-server-webapp-starter-tomcat. Use browser-login to register a google-authenticator device and then try to authenticate using REST protocol (POST username=xxx&password=xxx&gauthotp).
Here are the relevant logs:
2025-02-13 08:48:37,251 DEBUG [org.apereo.cas.gauth.rest.GoogleAuthenticatorRestHttpRequestCredentialFactory] - <Google authenticator token [111111] in the request body via account [null]>
...
simple file based authentication
...
2025-02-13 08:48:37,396 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePssswordAuthenticationHandler] - <Credential [Remember MeUsernamePasswordCredential(super=UsernamePasswordCredential(username=xxxxxx, source=null, customFields={}), rememberMe=false)] eligibility is [Static Credentials] for authentication handler [true]>
2025-02-13 08:48:37,396 DEBUG [org.apereo.cas.authentication.policy.AtLeastOneCredentialValidatedAuthenticationPolicy] - <Authentication policy is
satisfied having found at least one authentication transactions>
2025-02-13 08:48:37,396 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationManager] - <Attempting to authenticate credential [GoogleAuthenticatorTokenCredential(super=OneTimeTokenCredential(token=****************), accountId=null)]>
2025-02-13 08:48:37,396 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationManager] - <Attempting authentication of [111111] using [GoogleAuthenticatorAuthenticationHandler]>
...
simple file based authentication
...
2025-02-13 08:48:37,396 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePssswordAuthenticationHandler] - <Credential [Remember MeUsernamePasswordCredential(super=UsernamePasswordCredential(username=xxxxxx, source=null, customFields={}), rememberMe=false)] eligibility is [Static Credentials] for authentication handler [true]>
2025-02-13 08:48:37,396 DEBUG [org.apereo.cas.authentication.policy.AtLeastOneCredentialValidatedAuthenticationPolicy] - <Authentication policy is
satisfied having found at least one authentication transactions>
2025-02-13 08:48:37,396 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationManager] - <Attempting to authenticate credential [GoogleAuthenticatorTokenCredential(super=OneTimeTokenCredential(token=****************), accountId=null)]>
2025-02-13 08:48:37,396 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationManager] - <Attempting authentication of [111111] using [GoogleAuthenticatorAuthenticationHandler]>
2025-02-13 08:48:37,397 ERROR [org.apereo.cas.authentication.DefaultAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [GoogleAuthenticatorTokenCredential(super=OneTimeTokenCredential(token=****************), accountId=null)] of type [GoogleAuthenticatorTokenCredential]. Examine the configuration to ensure a method of authentication is defined and analyze CAS logs at DEBUG level to trace the authentication event.>
2025-02-13 08:48:37,397 ERROR [org.apereo.cas.authentication.DefaultAuthenticationManager] - <[GoogleAuthenticatorAuthenticationHandler]: [Cannot invoke "org.apereo.cas.authentication.Authentication.getPrincipal()" because "authentication" is null]>
The "authentication is null" comes from GoogleAuthenticatorAuthenticationHandler.java:
val authentication = WebUtils.getInProgressAuthentication();
Can anyone help me to understand, why WebUtils.getInProgressAuthentication() does not return a valid authentication object?
Thank you
2025-02-13 08:48:37,397 ERROR [org.apereo.cas.authentication.DefaultAuthenticationManager] - <[GoogleAuthenticatorAuthenticationHandler]: [Cannot invoke "org.apereo.cas.authentication.Authentication.getPrincipal()" because "authentication" is null]>
The "authentication is null" comes from GoogleAuthenticatorAuthenticationHandler.java:
val authentication = WebUtils.getInProgressAuthentication();
Can anyone help me to understand, why WebUtils.getInProgressAuthentication() does not return a valid authentication object?
Thank you
Klaus-Dieter Krannich
Reply all
Reply to author
Forward
0 new messages