CAS 7.x and Google Authenticator JPA device registration problem

[Klaus-Dieter Krannich]

Hello,

we use CAS version 6.6 in production with multifactor authentication using Google Authenticator (cas-server-support-gauth) and persistent device registration in a MariaDB database (cas-server-support-gauth-jpa). This setup is working for a
long time without any problems.

But all our tries to upgrade to a recent CAS version have failed. In CAS 7.x, no information is read from the CAS 6.6 registered devices table (Google_Authenticator_Registration_Record). If a user with an already registered device is trying to authenticate, the device is not found and the "Your account is not registered" dialog is displayed. After registering a new device, the authentication completes, but the new device record is not written to the database table. However, the tokens used during this registration process are stored in the token table (Google_Authenticator_Token) as expected. So the database setup seems to be correct. If we try to use JSON or Redis as persistent device registration storage, all works fine, but we had no success with either MariaDB or PostgreSQL.  

Has anyone a working CAS 7.x configuration with Google Authenticator and persistent device records stored in a Database? Any hints or suggestions on how to solve this issue are welcome.

  Klaus-Dieter 

[Klaus-Dieter Krannich]

Ok, answering myself.

It is probably an autoconfiguration problem. 

We have in 

GoogleAuthenticatorAuthenticationEventExecutionPlanConfiguration.java:

296         @ConditionalOnMissingBean(name = "googleAuthenticatorAccountRegistry")
297         @Bean
298         @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
299         public OneTimeTokenCredentialRepository googleAuthenticatorAccountRegistry(
300             final ConfigurableApplicationContext applicationContext,
(it initializes the default JSON/REST/inMemory repository

and in 

CasGoogleAuthenticatorJpaAutoConfiguration.java

70         @Bean
71         @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
72         @ConditionalOnMissingBean(name = "googleAuthenticatorAccountRegistry")
73         public OneTimeTokenCredentialRepository googleAuthenticatorAccountRegistry(
74             @Qualifier("googleAuthenticatorInstance")
(this initializes the JPA repository)

So it depends on the execution order, what is available in the application.

For me the following solution works. Delete line 72 in CasGoogleAuthenticatorJpaAutoConfiguration.java, put the file in the war-overlay, rebuild CAS and JPA device registration works again.

  Best regards 

       Klaus-Dieter 

--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/dbcf949d-4f4b-4202-ae41-6b246de6f78an%40apereo.org.