Google Authenticator JPA account not persisted

[Jaanus Heinlaid]

Hi all,

I have upgraded to CAS 7.0.1 and using MFA provided by Google Authenticator.

The problem is that Google Authenticator accounts don't get persisted into

the "google_authenticator_registration_record" database table, forcing users

to rescan the QR Code again after CAS is restarted.

The tokens, however, get created and stored into "google_authenticator_token"

table without any problems. I have turned on TRACE logging and logging Hibernate

SQL statements. The part of the log that I think is relevant is attached.

You can clearly see from the log that first a token is created and successfully

persisted into "Google_Authenticator_Token" table. After that we can see that

OneTimeTokenAccountSaveRegistrationAction is logging "Storing account  ...".

It must be this line in code:
https://github.com/apereo/cas/blob/7.0.x/support/cas-server-support-otp-mfa-core/src/main/java/org/apereo/cas/otp/web/flow/OneTimeTokenAccountSaveRegistrationAction.java#L75

However, no account is actually created in the DB :(

Tried this with both MySQL and PostgreSQL, same thing happens in both.

Attached is the relevant part of my application.properties.

As you can see, all the required encryption keys are also nicely provided.

And no errors are thrown. I'm out of ideas :(
This used to work nicely in CAS 6.5.0.

And works when I'm using JSON file for the GAuth registry.

But I need to get it working with JPA.

Any ideas?

cheers,

Jaa...@CAS.user.since.2016

[King, Robert]

Do you have the following defined in your properties?

 

cas.authn.mfa.gauth.crypto.encryption.key

cas.authn.mfa.gauth.crypto.signing.key

 

Maybe not relevant to the missing DB write, but exhibits the same behavior of MFA not persisting past restart.  If you do not define the keys in your properties file they typically get regenerated on each restart of CAS and that will make the previously encrypted data unrecoverable.

 

 

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1fca213e-e1a4-4731-8370-4f9ca83e5ce1n%40apereo.org.

[Jaanus Heinlaid]

Yes, I do have them defined, as I already learned my lesson back in ver 6.5.0 :)

You can see these and other properties in the attachment of my previous post.

So it's not the missing encryption keys this time, but rather some other anomaly

which I cannot figure out.

cheers,

Jaanus

[King, Robert]

Those specific keys are not included in your application.properties that you originally provided.  Only encryption keys in the file are for cas.tgc and cas.webflow.

[Jaanus Heinlaid]

Sorry, my bad!

Indeed, when copy-pasting the relevant section of my properties file,

I accidentally left out those two lines. Correct section of the properties attached now.

So indeed, I have those two important keys in there.

However, the line which I'm not entirely sure about, is this one:

cas.authn.mfa.gauth.core.scratch-codes.encryption.key=1234567890123456

The documentation says that this is a required property and it "must be randomly-generated

string whose length is defined by the encryption key size setting". Since the key size in

EncryptionRandomizedCryptoProperties is 16, I figured I'm just gonna put a random

16-character string in that property which is that "1234567890123456" above.

But I'm not sure if it's correct that way. No errors are thrown if I put a longer string in there.

But if I leave that property completely out, I get a startup WARN saying its' required.

Funny thing is that it all works and accounts are persisted when I let CAS use a JSON file

as the GAuth registry, like this: cas.authn.mfa.gauth.json.location=file:/etc/cas/mfa.json

But it's the JPA that is problematic.

cheers,

Jaanus

[Michal S]

Hi Jaanus.

I have exactly the same problem. Did you manage to solve it?

Thanks,

Michal

[John Bergant]

Hi Jaanus and Michal,

I've seen this issue as well in the 7.x version of CAS.

John

To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/db995803-f5ca-4b9c-979e-c1c9af13b66fn%40apereo.org.

[Jaanus Heinlaid]

Hi John, Michal,

The answer is no, we did not get it working,

i.e. the issue of persisting Google Authenticator accounts over JPA.

Eventually, we resorted to persisting over custom RESTful endpoint that we

implemented specifically for that purpose, following the guidelines provided here:

https://apereo.github.io/cas/7.1.x/mfa/GoogleAuthenticator-Authentication-Registration-Rest.html

But it involved a lot of trial-and-error too, before we got it working.

So, quite a painful journey in the end, but what can you do...

cheers,

Jaanus

You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/LuQiylIeekM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD2rhbYe%2BkL2BZRpXaTK6r8FBGha20Sg%3D-wHwO9q57SaSgmtUw%40mail.gmail.com.