OAUTH 2.0 and requiredHandlers configuration
32 views
Skip to first unread message
kanedb
Apr 30, 2019, 3:43:37 PM4/30/19
to CAS Community
Hi,
I'm using CAS 5.0.x with oauth, x509 and LDAP support.
Some services needs to use x509 authn only. While others can use both x509 and LDAP.
I tried to to configure some services to use x509 only with the requiredHandlers field, but had no success. CAS always displays the login page, asking for login+password (and also asks for x509 if i have a plugged in smart card). The problem is that login/password field shouldnt be displayed for those services if x509 auth fails.
I have also tried to change the registry for oauth callback url to use those required handlers with no success.
Registry examples:
// APP-A: should work with login/pass or x509 auth
{
"@class": "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
"serviceId": "http://localhost/application-A",
"name": "APP-A",
"id": -2141454336,
"description": "APP-A",
"evaluationOrder": 1,
"logoutType": "BACK_CHANNEL",
"attributeReleasePolicy":
{
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy",
"principalAttributesRepository":
{
"@class": "org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository",
"expiration": 2,
"timeUnit": "HOURS"
},
"authorizedToReleaseCredentialPassword": false,
"authorizedToReleaseProxyGrantingTicket": false
},
"accessStrategy":
{
"@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled": true,
"ssoEnabled": true,
"requireAllAttributes": true,
"caseInsensitive": false
},
"clientSecret": "APP-A",
"clientId": "APP-A",
"bypassApprovalPrompt": false,
"generateRefreshToken": true,
"jsonFormat": false
}
// APP-B: should work with x509 auth only
{
"@class": "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
"serviceId": "http://localhost/application-B",
"name": "APP-B",
"id": -2141454336,
"description": "APP-B",
"evaluationOrder": 1,
"logoutType": "BACK_CHANNEL",
"attributeReleasePolicy":
{
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy",
"principalAttributesRepository":
{
"@class": "org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository",
"expiration": 2,
"timeUnit": "HOURS"
},
"authorizedToReleaseCredentialPassword": false,
"authorizedToReleaseProxyGrantingTicket": false
},
"accessStrategy":
{
"@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled": true,
"ssoEnabled": true,
"requireAllAttributes": true,
"caseInsensitive": false
},
"clientSecret": "APP-B",
"clientId": "APP-B",
"bypassApprovalPrompt": false,
"generateRefreshToken": true,
"jsonFormat": false,
"requiredHandlers": [
"java.util.HashSet",
[
"X509CredentialsAuthenticationHandler"
]
]
}
// oauth callback: tried requiredHandlers and without it
{
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "^https?://(localhost|127\\.0\\.0\\.1)(:\\d+)?/cas/idp/profile/SAML2/POST/SSO/Callback.+",
"name": "CAS-LOCAL-SAML-WRAPPER-CALLBACK-URL",
"id": 1298371932,
"description": "Registro para o CAS-LOCAL-SAML-WRAPPER-CALLBACK-URL",
"evaluationOrder": 0,
"logoutType": "BACK_CHANNEL",
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy",
"principalAttributesRepository": {
"@class": "org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository",
"expiration": 2,
"timeUnit": "HOURS"
},
"authorizedToReleaseCredentialPassword": false,
"authorizedToReleaseProxyGrantingTicket": false
},
"multifactorPolicy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"failureMode": "CLOSED"
},
"accessStrategy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled": true,
"ssoEnabled": true,
"requireAllAttributes": true,
"caseInsensitive": false
}
,"requiredHandlers": ["java.util.HashSet",["X509CredentialsAuthenticationHandler"]]
}
I'm using CAS 5.0.x with oauth, x509 and LDAP support.
Some services needs to use x509 authn only. While others can use both x509 and LDAP.
I tried to to configure some services to use x509 only with the requiredHandlers field, but had no success. CAS always displays the login page, asking for login+password (and also asks for x509 if i have a plugged in smart card). The problem is that login/password field shouldnt be displayed for those services if x509 auth fails.
I have also tried to change the registry for oauth callback url to use those required handlers with no success.
Registry examples:
// APP-A: should work with login/pass or x509 auth
{
"@class": "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
"serviceId": "http://localhost/application-A",
"name": "APP-A",
"id": -2141454336,
"description": "APP-A",
"evaluationOrder": 1,
"logoutType": "BACK_CHANNEL",
"attributeReleasePolicy":
{
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy",
"principalAttributesRepository":
{
"@class": "org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository",
"expiration": 2,
"timeUnit": "HOURS"
},
"authorizedToReleaseCredentialPassword": false,
"authorizedToReleaseProxyGrantingTicket": false
},
"accessStrategy":
{
"@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled": true,
"ssoEnabled": true,
"requireAllAttributes": true,
"caseInsensitive": false
},
"clientSecret": "APP-A",
"clientId": "APP-A",
"bypassApprovalPrompt": false,
"generateRefreshToken": true,
"jsonFormat": false
}
// APP-B: should work with x509 auth only
{
"@class": "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
"serviceId": "http://localhost/application-B",
"name": "APP-B",
"id": -2141454336,
"description": "APP-B",
"evaluationOrder": 1,
"logoutType": "BACK_CHANNEL",
"attributeReleasePolicy":
{
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy",
"principalAttributesRepository":
{
"@class": "org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository",
"expiration": 2,
"timeUnit": "HOURS"
},
"authorizedToReleaseCredentialPassword": false,
"authorizedToReleaseProxyGrantingTicket": false
},
"accessStrategy":
{
"@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled": true,
"ssoEnabled": true,
"requireAllAttributes": true,
"caseInsensitive": false
},
"clientSecret": "APP-B",
"clientId": "APP-B",
"bypassApprovalPrompt": false,
"generateRefreshToken": true,
"jsonFormat": false,
"requiredHandlers": [
"java.util.HashSet",
[
"X509CredentialsAuthenticationHandler"
]
]
}
// oauth callback: tried requiredHandlers and without it
{
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "^https?://(localhost|127\\.0\\.0\\.1)(:\\d+)?/cas/idp/profile/SAML2/POST/SSO/Callback.+",
"name": "CAS-LOCAL-SAML-WRAPPER-CALLBACK-URL",
"id": 1298371932,
"description": "Registro para o CAS-LOCAL-SAML-WRAPPER-CALLBACK-URL",
"evaluationOrder": 0,
"logoutType": "BACK_CHANNEL",
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy",
"principalAttributesRepository": {
"@class": "org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository",
"expiration": 2,
"timeUnit": "HOURS"
},
"authorizedToReleaseCredentialPassword": false,
"authorizedToReleaseProxyGrantingTicket": false
},
"multifactorPolicy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"failureMode": "CLOSED"
},
"accessStrategy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled": true,
"ssoEnabled": true,
"requireAllAttributes": true,
"caseInsensitive": false
}
,"requiredHandlers": ["java.util.HashSet",["X509CredentialsAuthenticationHandler"]]
}
Reply all
Reply to author
Forward
0 new messages