pac4j Google2Client auth delegation: How to unauthorize a profile?

[Oscar del Pozo]

Hi!

I'm migrating from CAS 4.0.5 to 5.2.1 and everything has gone perfect but I'm facing a problem with the Google OAuth authentication.

I have configured a delegate authentication to Google with pac4j successfully but I need to make a modification, only allow the emails which end with @companyname.com (I do agree that this kind of things should not be done at CAS because this is about authorization and not authentication, but I have to)

I have added a new AuthorizationGenerator to the Google2Client instance so, after the retrieve the user profile with the Google2ProfileDefinition class, I make my validation and in case that the user email is not a valid one, I set the profile identifier no blank. The blank identifier causes a FailedLoginException at AbstractPac4jAuthenticationHandler.

Everything seems to work fine but finally, I get the following exception and the CAS error page is shown.

 

2018-01-23 15:58:48,581 DEBUG [org.pac4j.oauth.profile.creator.OAuth20ProfileCreator] - <add access_token: ya29.Glx....... to profile>
2018-01-23 15:58:48,581 DEBUG [org.pac4j.oauth.profile.google2.Google2Profile] - <adding => key: access_token / value:XXX-XXX / class java.lang.String>
2018-01-23 15:58:48,581 DEBUG [org.pac4j.oauth.client.Google2Client] - <profile: #Google2Profile# | id: 112368488543222222114 | attributes: {name.familyName=del Pozo, emails=[org.pac4j.oauth.profile.google2.Google2Email@64f6a901], access_token=..., gender=MALE, displayName=Oscar del Pozo, name.givenName=Oscar, ... |>
2018-01-23 15:58:49,599 WARN [org.apereo.cas.support.pac4j.oauth.MyProfileAuthorizationGenerator] - <Invalid user email>
2018-01-23 15:58:49,599 DEBUG [org.pac4j.oauth.profile.google2.Google2Profile] - <identifier: >
2018-01-23 15:58:51,789 ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [org.apereo.cas.authentication.principal.ClientCredential@2f8fc6b0[id=<null>]] of type [ClientCredential].>
2018-01-23 15:58:53,216 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: null
WHAT: Supplied credentials: [org.apereo.cas.authentication.principal.ClientCredential@2f8fc6b0[id=<null>]]
ACTION: AUTHENTICATION_SUCCESS   (This is a reported bug, the authentication has actually failed: https://github.com/apereo/inspektr/pull/10)
APPLICATION: CAS
WHEN: Tue Jan 23 15:58:53 CET 2018
CLIENT IP ADDRESS: 192.168.56.1
SERVER IP ADDRESS: 192.168.56.1
=============================================================
>
2018-01-23 15:58:53,247 ERROR [org.springframework.boot.web.support.ErrorPageFilter] - <Forwarding to error page from request [/login] due to exception [Exception thrown executing org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction@848f27e in state 'clientAction' of flow 'login' -- action execution attributes were 'map[[empty]]']>

        at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:60) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
        at org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
        at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] 
[...]
Caused by: org.apereo.cas.authentication.AuthenticationException: 1 errors, 0 successes
at org.apereo.cas.authentication.PolicyBasedAuthenticationManager.evaluateFinalAuthentication(PolicyBasedAuthenticationManager.java:400) ~[cas-server-core-authentication-5.2.1.jar:5.2.1]
at org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticateInternal(PolicyBasedAuthenticationManager.java:380) ~[cas-server-core-authentication-5.2.1.jar:5.2.1]
at org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticate(PolicyBasedAuthenticationManager.java:220) ~[cas-server-core-authentication-5.2.1.jar:5.2.1]

Is my approach correct?. Is it possible to do not show this CAS error and go to the 403 view?

[Martin Bohun]

Hello Oscar,

This is an example of one possible solution:

Our cas project (based on cas-4.0.x), uses Delegated Authentication (Facebook/Google/Twitter) to perform "one click" SignUp/SignIn.

We use a custom auth handler that uses the attributes (email, first_name, surname) returned by Facebook/Google/Twitter to either:

a) SignIn user if user with that email exist in the system already, OR

b) SignUp create the user in our system, and proceed to SignIn

So at that point in the code where we are receiving/processing the email address returned by Facebook/Google/Twitter:

https://github.com/AtlasOfLivingAustralia/ala-cas-2.0/blob/master/src/main/java/org/jasig/cas/support/pac4j/authentication/handler/support/ALAClientAuthenticationHandler.java#L121

one could do the type of filtering you want:

a) hardcode it there

b) externalize the email validation/check regexp into some properties/config file so 
c) fast/phugly/hack do the filtering in your LDAP, SQL query,

etc.

regards,

martin

[Oscar del Pozo]

Hi Martin,

Thanks for your response. Sadly, I think that the result of implementing a custom Authentication Handler would be the same that I have now, a redirection to CAS error page since with my current implementation I'm throwing a FailedLoginException that it is exactly the same that you're doing.

So, I think that my question is not the correct one. I guess what I need is to modify the login-webflow to define what to do when an authentication failure happens. I'll follow the guide https://apereo.github.io/2016/10/07/webflow-extcfg/ to try to do it.

Regards

[Francis]

The error  'map[[empty]]'] comes from the fact that the webflow from pac4j doesn't catch correctly the error sent by 'AbstractPac4jAuthenticationHandler'. 

From my point of view the solution would be to modify the webflow in order to "accept" your exception and to redirect to a new action you have defined.

2 solutions, you can override org.apereo.cas.web.flow.Pac4jWebflowConfigurer (faster) or extend the webflow via a new own configuration (nicer).

Modify the webflow by adding a new TransitionExecutingFlowExecutionExceptionHandler or adding a new TransitionSet catching the error into clientAction.

See some example from org.apereo.cas.web.flow.configurer.DefaultWebflowConfigurer

See as well https://github.com/apereo/cas/pull/3138 that shows how the webflow can be modify in the case of pac4j

[Oscar del Pozo]

Hi Francis,

Modify the webflow by adding a new TransitionExecutingFlowExecutionExceptionHandler or adding a new TransitionSet catching the error into clientAction.

That's exactly what I have done right now and it's working. Thanks for your answer!