requiredHandlers conflicts with delegatedAuthenticationPolicy?
48 views
Skip to first unread message
Abre Chase
Apr 23, 2021, 2:02:38 PM4/23/21
to CAS Community
Our application has multiple JDBC authentication sources, so we are using requiredHandlers so each service will authenticate against the correct database. Now we are trying to turn on delegated authentication to allow login from an OIDC IdP. When requiredHandlers has a value, the OIDC login fails because even though the user has passed the delegated authentication the code still forces them through the requiredHandlers as well. When I remove requiredHandlers, the OIDC delegated authentication works correctly but normal login doesn't use only the correct authentication handler.
Is there a way to specify a specific authentication source for a service and also allow delegated authentication at the same time?
My service configuration file looks something like:
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^https://localhost:8445.*",
"name" : "localhost",
"id" : 4,
"requiredHandlers": ["java.util.HashSet", ["jdbcHandler" ]],
"evaluationOrder" : 4,
"accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"delegatedAuthenticationPolicy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
"allowedProviders" : [ "java.util.ArrayList", [ "oidcIdp"] ],
"permitUndefined": true,
"exclusive": false
}
}
}
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^https://localhost:8445.*",
"name" : "localhost",
"id" : 4,
"requiredHandlers": ["java.util.HashSet", ["jdbcHandler" ]],
"evaluationOrder" : 4,
"accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"delegatedAuthenticationPolicy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
"allowedProviders" : [ "java.util.ArrayList", [ "oidcIdp"] ],
"permitUndefined": true,
"exclusive": false
}
}
}
Thanks for any advice,
Abre
Abre Chase
Apr 27, 2021, 9:08:32 AM4/27/21
to CAS Community, Abre Chase
I tried adding ClientAuthenticationHandler to the list of required handlers for the service.
"requiredHandlers": ["java.util.HashSet", ["jdbcHandler", "ClientAuthenticationHandler" ],
Authentication works now but the service ticket doesn't validate.
Ticket 'ST-9-xbUKZzA92DUsQtx7Gopfen11sxgip-192-168-1-254' does not match supplied service. The original service was 'https://localhost:8445/c/portal/login?p_l_id=20146' and the supplied service was 'https://localhost:8445/c/portal/login?p_l_id=20146'.
The CAS logs show the service ticket validation and it looks successful but the calling code gets the response above.
>
2021-04-27 08:57:46,560 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: org.pac4j.oidc.profile.OidcProfile#445209
WHAT: ST-9-xbUKZzA92DUsQtx7Gopfen11sxgip-192-168-1-254 for https://localhost:8445/c/portal/login?p_l_id=20146
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Tue Apr 27 08:57:46 EDT 2021
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================
This feels like a bug to me. There should be a way to specify a specific handler, but also allow delegated authentication.
Abre
Reply all
Reply to author
Forward
0 new messages