CAS 6.3.2 Google Auth OTP Validation Issue
75 views
Skip to first unread message
Philippe MARASSE
Mar 9, 2021, 3:19:23 PM3/9/21
to CAS Community
Folks,
Since we've installed our new cas v6.3.0 with MFA (gauth or u2f), we've
ran into a strange issue :
- TOTP registering works fine, first check of TOTP code is verified ok
(a bad code is rejected, as expected)
- TOTP input before accessing a service is asked, but whatever
numerical input can be sent, it will always be accepted ??
In other words : Google authenticator TOTP does not work for us.
I've set trace level on org.apereo.cas.gauth package, then used 1234 as
TOTP token (expected tokens are 6 digit long) :
2021-03-09 20:59:30,214 DEBUG
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<Attempting authentication of [1234] using
[GoogleAuthenticatorAuthenticationHandler]>
2021-03-09 20:59:30,215 TRACE
[org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator]
- <Received OTP [1234] assigned to account [1614873350660]>
2021-03-09 20:59:30,215 TRACE
[org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator]
- <Received principal id [testuser]. Attempting to locate account in
credential repository...>
2021-03-09 20:59:30,215 TRACE
[org.apereo.cas.gauth.credential.RedisGoogleAuthenticatorTokenCredentialRepository]
- <Fetching Google Authenticator records based on key
[RedisGoogleAuthenticatorTokenCredentialRepository:testuser:*]>
2021-03-09 20:59:30,218 TRACE
[org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator]
- <Attempting to locate OTP token [1234] in token repository for
[testuser]...>
2021-03-09 20:59:30,219 TRACE
[org.apereo.cas.gauth.token.GoogleAuthenticatorRedisTokenRepository] -
<Locating token by identifier [testuser] using key
[GoogleAuthenticatorRedisTokenRepository:testuser:1234]>
2021-03-09 20:59:30,220 DEBUG
[org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator]
- <Attempting to authorize OTP token [1234]...>
2021-03-09 20:59:30,232 DEBUG
[org.apereo.cas.gauth.GoogleAuthenticatorAuthenticationHandler] -
<Validated OTP token [OneTimeToken(id=1615319970224, token=1234,
userId=testuser, issuedDateTime=2021-03-09T20:59:30.224663)]
successfully for [testuser]>
2021-03-09 20:59:30,232 TRACE
[org.apereo.cas.gauth.token.GoogleAuthenticatorRedisTokenRepository] -
<Saving token [OneTimeToken(id=1615319970224, token=1234,
userId=testuser, issuedDateTime=2021-03-09T20:59:30.224663)] using key
[GoogleAuthenticatorRedisTokenRepository:testuser:1234]>
2021-03-09 20:59:30,281 TRACE
[org.apereo.cas.gauth.token.GoogleAuthenticatorRedisTokenRepository] -
<Saved token [OneTimeToken(id=1615319970224, token=1234,
userId=testuser, issuedDateTime=2021-03-09T20:59:30.224663)]>
2021-03-09 20:59:30,282 DEBUG
[org.apereo.cas.gauth.GoogleAuthenticatorAuthenticationHandler] -
<Creating authentication result and building principal for [testuser]>
2021-03-09 20:59:30,282 DEBUG
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<Authentication handler [GoogleAuthenticatorAuthenticationHandler]
successfully authenticated
[GoogleAuthenticatorTokenCredential(super=OneTimeTokenCredential(token=1234),
accountId=1614873350660)]>
our dependencies :
dependencies {
implementation
"org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-reports:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-u2f:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-u2f-redis:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-gauth:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-gauth-redis:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-saml:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-redis-ticket-registry:${project.'cas.version'}"
}
And relevant configuation in cas.properties :
cas.authn.mfa.gauth.code-digits=6
cas.authn.mfa.gauth.time-step-size=30
cas.authn.mfa.gauth.rank=2
Any idea ?
Regards.
--
Philippe MARASSE
Responsable pôle Infrastructures - DSIO
Centre Hospitalier Henri Laborit
CS 10587 - 370 avenue Jacques Cœur
86021 Poitiers Cedex
Tel : 05.49.44.57.19
Since we've installed our new cas v6.3.0 with MFA (gauth or u2f), we've
ran into a strange issue :
- TOTP registering works fine, first check of TOTP code is verified ok
(a bad code is rejected, as expected)
- TOTP input before accessing a service is asked, but whatever
numerical input can be sent, it will always be accepted ??
In other words : Google authenticator TOTP does not work for us.
I've set trace level on org.apereo.cas.gauth package, then used 1234 as
TOTP token (expected tokens are 6 digit long) :
2021-03-09 20:59:30,214 DEBUG
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<Attempting authentication of [1234] using
[GoogleAuthenticatorAuthenticationHandler]>
2021-03-09 20:59:30,215 TRACE
[org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator]
- <Received OTP [1234] assigned to account [1614873350660]>
2021-03-09 20:59:30,215 TRACE
[org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator]
- <Received principal id [testuser]. Attempting to locate account in
credential repository...>
2021-03-09 20:59:30,215 TRACE
[org.apereo.cas.gauth.credential.RedisGoogleAuthenticatorTokenCredentialRepository]
- <Fetching Google Authenticator records based on key
[RedisGoogleAuthenticatorTokenCredentialRepository:testuser:*]>
2021-03-09 20:59:30,218 TRACE
[org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator]
- <Attempting to locate OTP token [1234] in token repository for
[testuser]...>
2021-03-09 20:59:30,219 TRACE
[org.apereo.cas.gauth.token.GoogleAuthenticatorRedisTokenRepository] -
<Locating token by identifier [testuser] using key
[GoogleAuthenticatorRedisTokenRepository:testuser:1234]>
2021-03-09 20:59:30,220 DEBUG
[org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator]
- <Attempting to authorize OTP token [1234]...>
2021-03-09 20:59:30,232 DEBUG
[org.apereo.cas.gauth.GoogleAuthenticatorAuthenticationHandler] -
<Validated OTP token [OneTimeToken(id=1615319970224, token=1234,
userId=testuser, issuedDateTime=2021-03-09T20:59:30.224663)]
successfully for [testuser]>
2021-03-09 20:59:30,232 TRACE
[org.apereo.cas.gauth.token.GoogleAuthenticatorRedisTokenRepository] -
<Saving token [OneTimeToken(id=1615319970224, token=1234,
userId=testuser, issuedDateTime=2021-03-09T20:59:30.224663)] using key
[GoogleAuthenticatorRedisTokenRepository:testuser:1234]>
2021-03-09 20:59:30,281 TRACE
[org.apereo.cas.gauth.token.GoogleAuthenticatorRedisTokenRepository] -
<Saved token [OneTimeToken(id=1615319970224, token=1234,
userId=testuser, issuedDateTime=2021-03-09T20:59:30.224663)]>
2021-03-09 20:59:30,282 DEBUG
[org.apereo.cas.gauth.GoogleAuthenticatorAuthenticationHandler] -
<Creating authentication result and building principal for [testuser]>
2021-03-09 20:59:30,282 DEBUG
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<Authentication handler [GoogleAuthenticatorAuthenticationHandler]
successfully authenticated
[GoogleAuthenticatorTokenCredential(super=OneTimeTokenCredential(token=1234),
accountId=1614873350660)]>
our dependencies :
dependencies {
implementation
"org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-reports:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-u2f:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-u2f-redis:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-gauth:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-gauth-redis:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-saml:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-redis-ticket-registry:${project.'cas.version'}"
}
And relevant configuation in cas.properties :
cas.authn.mfa.gauth.code-digits=6
cas.authn.mfa.gauth.time-step-size=30
cas.authn.mfa.gauth.rank=2
Any idea ?
Regards.
--
Philippe MARASSE
Responsable pôle Infrastructures - DSIO
Centre Hospitalier Henri Laborit
CS 10587 - 370 avenue Jacques Cœur
86021 Poitiers Cedex
Tel : 05.49.44.57.19
Pavlos Drandakis
Mar 10, 2021, 3:41:04 AM3/10/21
to cas-...@apereo.org
Hi Philippe,
it seems that gauth validation, is now fixed (https://github.com/apereo/cas/commit/e7cb3b8b44867addcb6b8510cbbed45cbc9b265f).
Pavlos
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc1587ac-f726-9fc1-00fb-bf37260690c0%40ch-poitiers.fr.
Philippe MARASSE
Mar 10, 2021, 8:41:53 AM3/10/21
to cas-...@apereo.org
Hello,
Thank you, it seems to work now as expected with this patch.
Regards.
Thank you, it seems to work now as expected with this patch.
Regards.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAKP%3DBg399cLmUhd9qEiv0aAx1Xs6z4HzOtPmqD9muj19Gui7LA%40mail.gmail.com.
-- Philippe MARASSE Responsable pôle Infrastructures Direction de l'Informatique, Support à la Communication et à l'Organisation (DISCO) Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19
Reply all
Reply to author
Forward
0 new messages