Gauth multifactor auth with CAS 6.4.0

332 views
Skip to first unread message

Michele Andreoli

unread,
Sep 22, 2021, 3:46:29 AM9/22/21
to CAS Community
Hi,

I'm trying to configure the multifactor authentication with Google Authenticator provider on CAS 6.4.0.

If I start CAS everthing goes well and I'm able to register my device with the generated qrcode and login.
If I reboot CAS, when it ask me for token for login, the token generated by my registered device is not valid. So, I need to delete qrcode data (gauthCredentialRepository inside mongodb for example) and regenerate a new qrcode.

I see thaht calling the actuator endpoint after the first login:
GET /cas/actuator/gauthCredentialRepository
The response was:
[
    {
        "@class": "org.apereo.cas.gauth.credential.GoogleAuthenticatorAccount",
        "scratchCodes": [
            71727014,
            10026393,
            53569943,
            99181679,
            11527675
        ],
        "id": 1632236034928,
        "secretKey": "PGCKVHVFTQNCYRK4GJASSALFYTJM5ZIC",
        "validationCode": 194284,
        "username": "fd",
        "name": "charming_penicillin",
        "registrationDate": "2021-09-21T16:53:54.928+02:00"
    }
]

After rebooting CAS if I call the same actuator endpoint, I see that secret key is missing:
[
    {
        "@class": "org.apereo.cas.gauth.credential.GoogleAuthenticatorAccount",
        "scratchCodes": [
            71727014,
            10026393,
            53569943,
            99181679,
            11527675
        ],
        "id": 1632236034928,
        "validationCode": 194284,
        "username": "fd",
        "name": "charming_penicillin",
        "registrationDate": "2021-09-21T16:53:54.928+02:00"
    }
]

Is there a way to fix this issue?

Michele Andreoli

unread,
Sep 27, 2021, 4:33:36 AM9/27/21
to CAS Community, Michele Andreoli
Solved! I'm missing some configurations into application.properties

cas.authn.mfa.gauth.crypto.encryption.key=***

cas.authn.mfa.gauth.crypto.encryption.keySize=256

cas.authn.mfa.gauth.crypto.signing.key=***

cas.authn.mfa.gauth.crypto.signing.keySize=512


So after reboot, CAS will take these key instead generating a new one

Julio Romero

unread,
Sep 22, 2022, 2:23:49 AM9/22/22
to CAS Community, Michele Andreoli
Thanks  Michele, I was scratching my head on this same issue.
Setting the encryption keys in the properties file makes sense so that the codes will be decrypted accordingly between restarts of CAS server.


Regards,
Julio

Reply all
Reply to author
Forward
Message has been deleted
0 new messages