CAS 6.6 with Yubikey
158 views
Skip to first unread message
Hartmut Trüe
Sep 20, 2023, 7:05:26 AM9/20/23
to CAS Community
Hello,
i am trying to get CAS running with mfa.
I configured mfa-simple, mfa-yubikey and mfa-u2f.
mfa-simple is working as expected, the other two do not.
Trying mfs-yubikey:
after entering username and password it asks me for a token and a device name.
If I enter a OPT in the token field
If I enter a OTP in the token field the message is "
Unable to register your YubiKey device for authentication. Provided token may be invalid, expired or otherwise compromised."
and the logs:
2023-09-20 12:39:00,999 DEBUG
[org.apereo.cas.adaptors.yubikey.YubiKeyMultifactorAuthenticationProvider]
- <Pinging YubiKey API endpoint at
[https://api.yubico.com/wsapi/2.0/verify]>
2023-09-20 12:39:01,100 DEBUG [org.apereo.cas.util.http.SimpleHttpClient] - <Response code received from server matched [200].>
2023-09-20 12:39:01,100 DEBUG [org.apereo.cas.adaptors.yubikey.YubiKeyMultifactorAuthenticationProvider] - <Received YubiKey ping response [h=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
t=2023-09-20T10:39:01Z0089
status=MISSING_PARAMETER
2023-09-20 12:39:01,100 DEBUG [org.apereo.cas.util.http.SimpleHttpClient] - <Response code received from server matched [200].>
2023-09-20 12:39:01,100 DEBUG [org.apereo.cas.adaptors.yubikey.YubiKeyMultifactorAuthenticationProvider] - <Received YubiKey ping response [h=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
t=2023-09-20T10:39:01Z0089
status=MISSING_PARAMETER
...
2023-09-20 12:42:18,467 ERROR [org.apereo.cas.adaptors.yubikey.DefaultYubiKeyAccountValidator] - <The OTP is too short to be valid>
or
2023-09-20 12:41:11,292 ERROR [org.apereo.cas.adaptors.yubikey.DefaultYubiKeyAccountValidator] - <The OTP is not a valid format>
Then I tried Yubikey U2F: after entering username and password there comes a page with "
Please touch the flashing U2F device now." I would expect a popup for the fido pin, but nothing happens. The device
(5C NFC)
is connected via USB, but it is not flashing and touching has no effect.
It is all on Windows 11 with Firefox 117, Chrome 117.
What am I missing? Any ideas or hints?
Regards,
Hartmut
spfma...@e.mail.fr
Sep 20, 2023, 8:35:01 AM9/20/23
to cas-...@apereo.org
Hi,
I have spent a lot of time trying to understand how the internals of CAS Webflow are working during the last weeks, and I have made some progress.
With informations gathered here https://apereo.github.io/cas/6.6.x/webflow/Webflow-Customization-Extensions.html and there https://fawnoos.com/2021/08/20/cas64-webflow-extensions/ , I have managed to get some working code.
package org.example.something;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.web.flow.configurer.AbstractCasWebflowConfigurer;
import org.apereo.cas.web.flow.CasWebflowConstants;
import lombok.extern.slf4j.Slf4j;
import lombok.val;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.webflow.definition.registry.FlowDefinitionRegistry;
import org.springframework.webflow.engine.Flow;
import org.springframework.webflow.engine.builder.support.FlowBuilderServices;
import org.springframework.webflow.engine.ViewState;
@Slf4j
public class SomethingWebflowConfigurer extends AbstractCasWebflowConfigurer {
public SomethingWebflowConfigurer(FlowBuilderServices flowBuilderServices,
FlowDefinitionRegistry flowDefinitionRegistry,
ConfigurableApplicationContext applicationContext,
CasConfigurationProperties casProperties) {
super(flowBuilderServices, flowDefinitionRegistry, applicationContext, casProperties);
}
@Override
protected void doInitialize() {
var flow = super.getLoginFlow();
LOGGER.debug("[TESTING] doInitialize@SomethingWebflowConfigurer flow={}", flow);
if (flow != null) {
tweakFlow(flow);
}
}
protected void tweakFlow(final Flow flow) {
LOGGER.debug("[TESTING] tweakFlow@@SomethingWebflowConfigurer flow={}", flow);
val state = getState(flow, CasWebflowConstants.STATE_ID_VIEW_LOGIN_FORM, ViewState.class);
state.getTransitionSet().remove(createTransitionForState(state, CasWebflowConstants.TRANSITION_ID_SUBMIT, CasWebflowConstants.STATE_ID_REAL_SUBMIT));
createStateDefaultTransition(state, CasWebflowConstants.STATE_ID_MFA_UNAVAILABLE);
}
}
Of course it's far from doing what I am expecting yet, but at least it is finally compling and running :
What annoys me is that it's not logging anything.
Of course my CAS instance has an exhaustive "log4j.xml" configuration, and I get a lot of informations in "cas.log" and on the console.
But nothing in this case.
I first thought it was not working or was ignored, but no, having a look at the JSON dump of the webflows reveals the creation operations have been executed.
What did I miss ?
Regards
FreeMail powered by mail.fr
spfma...@e.mail.fr
Sep 21, 2023, 6:47:50 AM9/21/23
to cas-...@apereo.org
Hi,
For this one, I was able to find the solution myself after a several hours break : package "org.example.something" was not related to any already configured logger.
So with these statements and a restart it's much better :-)
<Logger name="org.example.something" level="debug">
<appender-ref ref="casFile" />
<appender-ref ref="casConsole" />
</Logger>
Regards
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9ca79e528f7a43ecdc112da69b010c4995ad10c3%40mail.de.
Hartmut Trüe
Oct 19, 2023, 8:10:25 AM10/19/23
to CAS Community, spfma...@e.mail.fr
I don't understand the connection to my post ... ideas to my problem would be appreciated
Regards,
Hartmut
Jérôme Rautureau
Dec 16, 2023, 4:01:22 AM12/16/23
to CAS Community
Hello Trüe
Same think here with yubikey too.
But have you trier the mfa-webauth, it's working out-the-box in CAS 6.5.9.4.
But you're right thé u2f screen doesn't seem to working correctly.
Like you the yubikey flashes But touchibg it does nothong to CAS.
we would prefer to use u2f with yubikey rather than mfa-webauthn.
Thanks
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/bdd65724-6ca2-494a-92e1-5a3f8d493d14n%40apereo.org.
Reply all
Reply to author
Forward
0 new messages