CAS 6.3.x + Google Auth as 2FA

[Bartosz Nitkiewicz]

Hi, 

The setup looks like this:

CAS + Vault (config file) + LDAP + 2FA (mfa-gauth) + redis for gauth and ticket registration.

After testing before production deployment I've noticed that user can authorize providing user and pass, when asking for Gauth token it can be anything (even one character) and CAS will pass it through. I don't know where I have mistake:

Here is my config form VAULT

 

"cas.authn.mfa.gauth.crypto.encryption.key": "[redacted]",

  "cas.authn.mfa.gauth.crypto.signing.key": "[redacted]",

  "cas.authn.mfa.gauth.issuer": "CAS",

  "cas.authn.mfa.gauth.label": "CAS",

  "cas.authn.mfa.gauth.multiple-device-registration-enabled": "false",

  "cas.authn.mfa.gauth.name": "CAS",

  "cas.authn.mfa.gauth.redis.database": "0",

  "cas.authn.mfa.gauth.redis.host": "localhost",

  "cas.authn.mfa.gauth.redis.password": "[redacted]",

  "cas.authn.mfa.gauth.redis.port": "6379",

  "cas.authn.mfa.gauth.redis.read-from": "MASTER",

  "cas.authn.mfa.gauth.redis.timeout": "2000",

  "cas.authn.mfa.gauth.redis.use-ssl": "false",

  "cas.authn.mfa.global-provider-id": "mfa-gauth",

  "cas.authn.mfa.triggers.principal.global-principal-attribute-name-triggers": "memberOf",

  "cas.authn.mfa.triggers.principal.global-principal-attribute-value-regex": "[redacted]"

Maybe its ticket registering with redis:

"cas.ticket.registry.redis.crypto.alg": "AES",

  "cas.ticket.registry.redis.crypto.enabled": "false",

  "cas.ticket.registry.redis.crypto.encryption.key": "",

  "cas.ticket.registry.redis.crypto.encryption.key-size": "16",

  "cas.ticket.registry.redis.crypto.signing.key": "",

  "cas.ticket.registry.redis.crypto.signing.key-size": "512",

  "cas.ticket.registry.redis.database": "1",

  "cas.ticket.registry.redis.host": "localhost",

  "cas.ticket.registry.redis.password": "[redacted]",

  "cas.ticket.registry.redis.pool.enabled": "false",

  "cas.ticket.registry.redis.pool.fairness": "false",

  "cas.ticket.registry.redis.pool.lifo": "true",

  "cas.ticket.registry.redis.pool.max-active": "8",

  "cas.ticket.registry.redis.pool.max-idle": "8",

  "cas.ticket.registry.redis.pool.max-wait": "-1",

  "cas.ticket.registry.redis.pool.min-evictable-idle-time-millis": "0",

  "cas.ticket.registry.redis.pool.min-idle": "0",

  "cas.ticket.registry.redis.pool.num-tests-per-eviction-run": "0",

  "cas.ticket.registry.redis.pool.soft-min-evictable-idle-time-millis": "0",

  "cas.ticket.registry.redis.pool.test-on-borrow": "false",

  "cas.ticket.registry.redis.pool.test-on-create": "false",

  "cas.ticket.registry.redis.pool.test-on-return": "false",

  "cas.ticket.registry.redis.pool.test-while-idle": "false",

  "cas.ticket.registry.redis.port": "6379",

  "cas.ticket.registry.redis.timeout": "2000",

  "cas.ticket.registry.redis.use-ssl": "false",

Any hints?

Regards

Bartek

[Philippe MARASSE]

Hello,

It has been fixed there https://github.com/apereo/cas/commit/e7cb3b8b44867addcb6b8510cbbed45cbc9b265f

Verify that you version of CAS is newer than that commit, it should be fine.

Regards

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/3aac5f3d-d9a7-4455-9639-bf8ce2be695en%40apereo.org.

-- 
Philippe MARASSE

Responsable pôle Infrastructures - DSIO
Centre Hospitalier Henri Laborit
CS 10587 - 370 avenue Jacques Cœur 
86021 Poitiers Cedex
Tel : 05.49.44.57.19

[Bartosz Nitkiewicz]

I have CAS v 6.3.2 which is quite new. But I'm not sure if its newer than this patch.

Hmm, I've cloned this overlay https://github.com/apereo/cas-overlay-template/tree/6.3 with latest commit 995813b on 14 Feb

So how to make it work? I don't want to build CAS form sources: https://github.com/apereo/cas/tree/e7cb3b8b44867addcb6b8510cbbed45cbc9b265f

I'm wondering, where is this GoogleAuthenticatorOneTimeTokenCredentialValidator.java file after build. Maybe it's possible to replace/edit it?

Regards 

Bartek

[Philippe MARASSE]

A good question indeed :-)

I've took a look over my overlay, it seem that I only overloaded the flawed class from the commit :

cas-overlay/src/main/java/org/apereo/cas/gauth/credential/GoogleAuthenticatorOneTimeTokenCredentialValidator.java

CAS 6.3.2 is older than the patch I think.

So :
  - fetch CAS sources from github
  - Copy the GoogleAuthenticatorOneTimeTokenCredentialValidator.java in your overlay
  - build your overlay

and test it :-).

Regards.

[Bartosz Nitkiewicz]

I have cloned CAS sources and copy cas/support/cas-server-support-gauth-core/src/main/java/org/apereo/cas/gauth/credential/GoogleAuthenticatorOneTimeTokenCredentialValidator.java to cas-overlay-template/src/main/java/org/apereo/cas/gauth/credential/GoogleAuthenticatorOneTimeTokenCredentialValidator.java

and I have build issues down below:

https://dpaste.com/8X6QFAGR2

Maybe there is another way?

[Łukasz Woźniak]

Hi, I have czas 6.3.2 with Google mfa and it works. Dont change config cas.authn.mfa.gauth.name it stole stary mfa-gauth

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c7e3233c-10db-497b-9430-58aa200550b4n%40apereo.org.

[Philippe MARASSE]

whoops :-), just forgotten some other modifications, here's the whole diff file :

https://dpaste.com/GWJ5L7F59

Regards.

[Łukasz Woźniak]

It should stay mfa-gauth. Sorry phone dictionary problem 😀

[Bartosz Nitkiewicz]

Thanks for reply. It looks like building CAS 6.3.3 solve gauth issue. This is latest stable CAS version.

Once again thank You.

[Bartosz Nitkiewicz]

It looks like it is working indeed. But you can provide any numer and CAS authorize user. Check it twice ;)

[He vincent]

Hi , I got the same issue, I have upgraded to 6.3.3. It works now. but it got JAVA exception when I entered wrong verify code. It seems not friendly.

Here is the error logs:

2021-06-04 16:57:44,260 ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [GoogleAuthenticatorTokenCredential(super=OneTimeTokenCredential(token=123456), accountId=1617172741294)] of type [GoogleAuthenticatorTokenCredential]. Examine the configuration to ensure a method of authentication is defined and analyze CAS logs at DEBUG level to trace the authentication event.>
2021-06-04 16:57:44,260 ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[castest]: [Secret cannot be null.]>
2021-06-04 16:57:44,260 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: 123456
WHAT: Supplied credentials: [GoogleAuthenticatorTokenCredential(super=OneTimeTokenCredential(token=123456), accountId=1617172741294)]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Fri Jun 04 16:57:44 CST 2021
CLIENT IP ADDRESS: 10.13.12.54
SERVER IP ADDRESS: 10.13.23.92
=============================================================

>
2021-06-04 16:57:44,260 ERROR [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <1 errors, 0 successes>
org.apereo.cas.authentication.AuthenticationException: 1 errors, 0 successes
        at org.apereo.cas.authentication.PolicyBasedAuthenticationManager.evaluateFinalAuthentication(PolicyBasedAuthenticationManager.java:340) ~[cas-server-core-authentication-api-6.3.3.jar!/:6.3.3]
        at org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticateInternal(PolicyBasedAuthenticationManager.java:318) ~[cas-server-core-authentication-api-6.3.3.jar!/:6.3.3]
        at org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticate(PolicyBasedAuthenticationManager.java:63) ~[cas-server-core-authentication-api-6.3.3.jar!/:6.3.3]
        at org.apereo.cas.authentication.PolicyBasedAuthenticationManager$$FastClassBySpringCGLIB$$90e801d3.invoke(<generated>) ~[cas-server-core-authentication-api-6.3.3.jar!/:6.3.3]
        at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.2.12.RELEASE.jar!/:5.2.12.RELEASE]
        at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:771) ~[spring-aop-5.2.12.RELEASE.jar!/:5.2.12.RELEASE]
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.2.12.RELEASE.jar!/:5.2.12.RELEASE]
        at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:749) ~[spring-aop-5.2.12.RELEASE.jar!/:5.2.12.RELEASE]
        at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:88) ~[spring-aop-5.2.12.RELEASE.jar!/:5.2.12.RELEASE]
        at org.apereo.inspektr.audit.AuditTrailManagementAspect.handleAuditTrail(AuditTrailManagementAspect.java:135) ~[inspektr-audit-1.8.10.GA.jar!/:1.8.10.GA]
        at jdk.internal.reflect.GeneratedMethodAccessor178.invoke(Unknown Source) ~[?:?]
        at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
        at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]