Is it possible in my app to allow only authorized user to use pac4j delegation to login
183 views
Skip to first unread message
Ng Sek Long
Aug 14, 2017, 10:59:25 PM8/14/17
to CAS Community
Hi all, and first of all, thanks in advance. Here's my problem:
[CAS version]: 5.2.0-RC1 (I need features from this version)
[Background]:
My application used pac4j to allow user to login using for example Fb, Google Linkedin and such.
[Problem]:
However, only certain users that are authorized are allowed to login using those pac4j method. However, now I use pac4j as login method everybody can login.
[Question]:
Is it possible to allow only authorized user to use pac4j authentication? For example maybe I can use a database, which specified only Peter, Mary and John can use Fb to login. Then other random people cannot use pac4j as login method.
[Things I tried]:
I tried to configure this bean: "clientAuthenticationHandler" in "org.apereo.cas.support.pac4j.config.support.authentication", and I found out that nothing I can do that can implement what I need.
I would like to edit this: ClientAuthenticationHandler -> doAuthentication, and add my customization, but it is not a bean. and I don't really want to replace any source code.
Any help would be appreciated!
[CAS version]: 5.2.0-RC1 (I need features from this version)
[Background]:
My application used pac4j to allow user to login using for example Fb, Google Linkedin and such.
[Problem]:
However, only certain users that are authorized are allowed to login using those pac4j method. However, now I use pac4j as login method everybody can login.
[Question]:
Is it possible to allow only authorized user to use pac4j authentication? For example maybe I can use a database, which specified only Peter, Mary and John can use Fb to login. Then other random people cannot use pac4j as login method.
[Things I tried]:
I tried to configure this bean: "clientAuthenticationHandler" in "org.apereo.cas.support.pac4j.config.support.authentication", and I found out that nothing I can do that can implement what I need.
I would like to edit this: ClientAuthenticationHandler -> doAuthentication, and add my customization, but it is not a bean. and I don't really want to replace any source code.
Any help would be appreciated!
Misagh Moayyed
Aug 15, 2017, 12:53:59 PM8/15/17
to cas-...@apereo.org
So you're saying: allow Peter to authenticate via Facebook, then come back to CAS, authenticate and verify credentials and then possibly reject Peter because he's not allowed?
You cannot do this without changing source code, but it's strange that you present an option first only to possibly reject it later. It would be better if you tied that policy to a service record in CAS where you could then say: if you want to log into application X, you can use any of the following authorized providers (because there is code that knows what to authorize/prepare for each delegated scenario). Also requires code, but I submit it's the more sensible approach.
--Misagh
From: "Ng Sek Long" <lon...@gmail.com>
To: "CAS Community" <cas-...@apereo.org>
Sent: Monday, August 14, 2017 7:59:25 PM
Subject: [cas-user] Is it possible in my app to allow only authorized user to use pac4j delegation to login
To: "CAS Community" <cas-...@apereo.org>
Sent: Monday, August 14, 2017 7:59:25 PM
Subject: [cas-user] Is it possible in my app to allow only authorized user to use pac4j delegation to login
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8f051eb3-3f84-4e48-aba8-45cdee90dab4%40apereo.org.
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8f051eb3-3f84-4e48-aba8-45cdee90dab4%40apereo.org.
Ng Sek Long
Aug 15, 2017, 9:16:14 PM8/15/17
to CAS Community, mmoa...@unicon.net
Thanks for your suggestion! I don't mind editing cas source code if my use case is specific for me. Because of my use case, I think I will use the less elegant approach for now until I get time to implement the better approach.
-Andy
-Andy
Tausif Iqbal
Nov 3, 2024, 10:03:59 AM11/3/24
to CAS Community, Ng Sek Long, mmoa...@unicon.net
Hi Ng Sek Long,
I am also trying to do something similar, I already have database setup for authentication, now I want to add google OAuth on top of it, so that genuine user can directly login without typing credential, but now the issue is anyone can login with google OAuth.
Could you let me know what steps you followed to achieve this?
Thanks in advance
I am also trying to do something similar, I already have database setup for authentication, now I want to add google OAuth on top of it, so that genuine user can directly login without typing credential, but now the issue is anyone can login with google OAuth.
Could you let me know what steps you followed to achieve this?
Thanks in advance
Ray Bon
Nov 4, 2024, 1:41:31 PM11/4/24
to cas-...@apereo.org, lon...@gmail.com, mmoa...@unicon.net
Tausif,
There are things you can do before and after authentication. see https://apereo.github.io/cas/7.1.x/authentication/Configuring-Authentication-Components.html
Ray
On Sun, 2024-11-03 at 03:57 -0800, Tausif Iqbal wrote:
Ray Bon
Nov 7, 2024, 9:53:20 PM11/7/24
to tausifi...@gmail.com, cas-...@apereo.org, lon...@gmail.com, mmoa...@unicon.net
Tausif,
Check out springframework sortOrder. It should affect the order of bean creation. (It goes in the Configurer.)
However if the default handlers list is actually a set ...
Ray
On Thu, 2024-11-07 at 10:32 -0800, Tausif Iqbal wrote:
Hi Ray Bon,
Thank you for the link,
after spending some time I am able to write a CustomDelegatedClientAuthenticationHandler and register it.
now the issue is when I start the cas overlay somtime it picks DelegatedClientAuthenticationHandler and sometime CustomDelegatedClientAuthenticationHandler depending upon the order in the Default Handlers list
[ProxyAuthenticationHandler,DelegatedClientAuthenticationHandler,CustomDelegatedClientAuthenticationHandler,QueryDatabaseAuthenticationHandler,Static Credentials] or [ProxyAuthenticationHandler,CustomDelegatedClientAuthenticationHandler,DelegatedClientAuthenticationHandler,QueryDatabaseAuthenticationHandler,Static Credentials] is there way I can fix the order of handlers in the list?
Thankyou
Tausif
On Tuesday, November 5, 2024 at 12:11:31 AM UTC+5:30 Ray Bon wrote:
Tausif,
There are things you can do before and after authentication. see https://apereo.github.io/cas/7.1.x/authentication/Configuring-Authentication-Components.html
Ray
On Sun, 2024-11-03 at 03:57 -0800, Tausif Iqbal wrote:
Tausif Iqbal
Nov 7, 2024, 9:53:21 PM11/7/24
to CAS Community, Ray Bon, lon...@gmail.com, mmoa...@unicon.net
Hi Ray Bon,
Thank you for the link,
after spending some time I am able to write a CustomDelegatedClientAuthenticationHandler and register it.
now the issue is when I start the cas overlay somtime it picks DelegatedClientAuthenticationHandler and sometime CustomDelegatedClientAuthenticationHandler depending upon the order in the Default Handlers list
[ProxyAuthenticationHandler,DelegatedClientAuthenticationHandler,CustomDelegatedClientAuthenticationHandler,QueryDatabaseAuthenticationHandler,Static Credentials] or [ProxyAuthenticationHandler,CustomDelegatedClientAuthenticationHandler,DelegatedClientAuthenticationHandler,QueryDatabaseAuthenticationHandler,Static Credentials] is there way I can fix the order of handlers in the list?
Thankyou
Tausif
Thank you for the link,
after spending some time I am able to write a CustomDelegatedClientAuthenticationHandler and register it.
now the issue is when I start the cas overlay somtime it picks DelegatedClientAuthenticationHandler and sometime CustomDelegatedClientAuthenticationHandler depending upon the order in the Default Handlers list
[ProxyAuthenticationHandler,DelegatedClientAuthenticationHandler,CustomDelegatedClientAuthenticationHandler,QueryDatabaseAuthenticationHandler,Static Credentials] or [ProxyAuthenticationHandler,CustomDelegatedClientAuthenticationHandler,DelegatedClientAuthenticationHandler,QueryDatabaseAuthenticationHandler,Static Credentials] is there way I can fix the order of handlers in the list?
Thankyou
Tausif
On Tuesday, November 5, 2024 at 12:11:31 AM UTC+5:30 Ray Bon wrote:
Tausif Iqbal
Nov 11, 2024, 12:37:00 AM11/11/24
to CAS Community, Ray Bon, lon...@gmail.com, mmoa...@unicon.net, tausifi...@gmail.com
Hi Ray Bon,
Thankyou for suggestion,
what I noticed that if the CustomDelegatedClientAuthenticationHandler fails to authenticate a credential then CAS picks next handler that is DelegatedAuthenticationHandler and authenticate the credential.
is there a way I can tell CAS not to pick DelegatedAuthenticationHandler at all?
Thankyou
Thankyou for suggestion,
what I noticed that if the CustomDelegatedClientAuthenticationHandler fails to authenticate a credential then CAS picks next handler that is DelegatedAuthenticationHandler and authenticate the credential.
is there a way I can tell CAS not to pick DelegatedAuthenticationHandler at all?
Thankyou
Ray Bon
Nov 12, 2024, 9:19:50 PM11/12/24
to tausifi...@gmail.com, cas-...@apereo.org, lon...@gmail.com, mmoa...@unicon.net
Tausif,
Could you put the logic from your custom class in a post processor
and limit users that way?
Ray
Tausif Iqbal
Nov 13, 2024, 7:57:07 AM11/13/24
to CAS Community, Ray Bon, lon...@gmail.com, mmoa...@unicon.net, tausifi...@gmail.com
Hi Ray , Thankyou for your suggestion,
Luckily I found below configuration in the doc https://apereo.github.io/cas/7.1.x/authentication/Configuring-Authentication-Policy-All.html
```
cas.authn.policy.all-handlers.enabled=false
cas.authn.policy.all-handlers.name=CustomDelegatedClientAuthenticationHandler,QueryDatabaseAuthenticationHandler
```
with these I am able to control the handlers that CAS can use to authenticate.
Now I have two webflow setups: one uses `QueryDatabaseAuthenticationHandler` and the other uses `CustomDelegatedClientAuthenticationHandler` with MFA enabled on both.
The issue is after a user registers on Google Authenticator through webflow1 (QueryDatabaseAuthenticationHandler+MFA), if the same user tries to log in through webflow2 (CustomDelegatedClientAuthenticationHandler+MFA) , he is asked to register again on google authenticator. What I want is this: if a user registers on Google Authenticator through Webflow 1, and later tries to log in through Webflow 2, he should not be asked to register again on Google Authenticator. My suspicion is that MFA is generating different secrets for QueryDatabaseAuthenticationHandler and CustomDelegatedClientAuthenticationHandler.
is there a way I can configure MFA so that if the email is the same, it treats the user as the same across both setups?
Thankyou for your help
Luckily I found below configuration in the doc https://apereo.github.io/cas/7.1.x/authentication/Configuring-Authentication-Policy-All.html
```
cas.authn.policy.all-handlers.enabled=false
cas.authn.policy.all-handlers.name=CustomDelegatedClientAuthenticationHandler,QueryDatabaseAuthenticationHandler
```
with these I am able to control the handlers that CAS can use to authenticate.
Now I have two webflow setups: one uses `QueryDatabaseAuthenticationHandler` and the other uses `CustomDelegatedClientAuthenticationHandler` with MFA enabled on both.
The issue is after a user registers on Google Authenticator through webflow1 (QueryDatabaseAuthenticationHandler+MFA), if the same user tries to log in through webflow2 (CustomDelegatedClientAuthenticationHandler+MFA) , he is asked to register again on google authenticator. What I want is this: if a user registers on Google Authenticator through Webflow 1, and later tries to log in through Webflow 2, he should not be asked to register again on Google Authenticator. My suspicion is that MFA is generating different secrets for QueryDatabaseAuthenticationHandler and CustomDelegatedClientAuthenticationHandler.
is there a way I can configure MFA so that if the email is the same, it treats the user as the same across both setups?
Thankyou for your help
Reply all
Reply to author
Forward
0 new messages