OAuth delegated authentication - Profile id null
131 views
Skip to first unread message
David Oteo
Nov 8, 2018, 8:18:04 AM11/8/18
to CAS Community
Hello,
We succesfully configured CAS 5.2.2 to delegate authentication to an external provider through generic OAuth2 properties:
#(Optional) Friendly name for OAuth 2 provider, e.g. "This Organization" or "That Organization"
cas.authn.pac4j.oauth2[0].clientName=Giltza Oauth 2
cas.authn.pac4j.oauth2[0].id=xxx
cas.authn.pac4j.oauth2[0].secret=xxx
cas.authn.pac4j.oauth2[0].authUrl=https://eidasdes.izenpe.com:8082/trustedx-authserver/izenpe/oauth
cas.authn.pac4j.oauth2[0].tokenUrl=https://eidasdes.izenpe.com:8082/trustedx-authserver/izenpe/oauth/token
cas.authn.pac4j.oauth2[0].profileUrl=https://eidasdes.izenpe.com:8082/trustedx-resources/openid/v1/users/me
cas.authn.pac4j.oauth2[0].profileVerb=GET
#cas.authn.pac4j.oauth2[0].profilePath=
cas.authn.pac4j.oauth2[0].customParams.client_id=xxx
cas.authn.pac4j.oauth2[0].customParams.response_type=code
cas.authn.pac4j.oauth2[0].customParams.state=123456
cas.authn.pac4j.oauth2[0].customParams.acr_values=urn:safelayer:tws:policies:authentication:flow:bakq|urn:safelayer:tws:policies:authentication:flow:cert
cas.authn.pac4j.oauth2[0].customParams.scope=urn:izenpe:identity:global
cas.authn.pac4j.oauth2[0].profileAttrs.name=name
cas.authn.pac4j.oauth2[0].profileAttrs.surname1=surname1
cas.authn.pac4j.oauth2[0].profileAttrs.surname2=surname2
...
If we don't do anything else, the following error occurs:
[8/11/18 13:28:57:621 CET] 000000d3 SystemOut O 2018-11-08 13:28:57,611 DEBUG [org.pac4j.oauth.client.GenericOAuth20Client] - <profile: #OAuth20Profile# | id: null | attributes: {sub=978fa4ff4ea06ca1d39f35eb728b5a7e, cif=Q3890349H, country=ES, birthdate=EMPTY, key_usage=EMPTY, subject=SERIALNUMBER=99999988J, OID.2.5.4.4=#0C08464943544943494F, OID.2.5.4.42=#0C07434F5250524543, CN=CORPREC FICTICIO ACTIVO, OID.2.5.4.46=#131D2D646E692039393939393938384A202D63696620513338393033343948, OU=Condiciones de uso en www.izenpe.com nola erabili jakiteko, OU=Ziurtagiri korporatibo onartua - Cert. corporativo reconocido, O=IZENPE, C=ES, not_before=2017-03-16T12:15:29Z, tsl=S, issuer=CN=CA personal de AAPP vascas (2) - DESARROLLO, OU=AZZ Ziurtagiri publikoa - Certificado publico SCA, O=IZENPE S.A., C=ES, acr=urn:safelayer:tws:policies:authentication:flow:cert, surname1=FICTICIO, surname2=ACTIVO, email=EMPTY, dni=99999988J, tipoAfirma=0, firmaCualificada=S, naturalPersonSemanticsIdentifier=IDCES-99999988J, legalPersonSemanticsIdentifier=VATES-Q3890349H, serial_number=C6o=, given_name=CORPREC, pais=ES, not_after=2021-03-16T12:15:29Z, access_token=fc6ccaad705c4363cce28d89b7a3fd45897400c6134afd3c18d2d7a8bc8261a2, register_type=1, policy_identifier=1.3.6.1.4.1.14777.104.2, person_status=PF, domain=izenpe, organization=EMPTY, name=CORPREC FICTICIO ACTIVO, family_name=FICTICIO ACTIVO} | roles: [] | permissions: [] | isRemembered: false | clientName: null | linkedId: null |>
[8/11/18 13:28:57:621 CET] 000000d3 SystemOut O 2018-11-08 13:28:57,611 ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [org.apereo.cas.authentication.principal.ClientCredential@2cf6f06a[id=<null>]] of type [ClientCredential].>
[8/11/18 13:28:57:621 CET] 000000d3 SystemOut O 2018-11-08 13:28:57,616 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: null
WHAT: Supplied credentials: [org.apereo.cas.authentication.principal.ClientCredential@2cf6f06a[id=<null>]]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Thu Nov 08 13:28:57 CET 2018
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================
[8/11/18 13:28:57:629 CET] 000000d3 SystemOut O 2018-11-08 13:28:57,628 ERROR [com.ibm.ws.webcontainer.servlet.ServletWrapper] - <SRVE0014E: Uncaught service() exception root cause dispatcherServlet: org.springframework.web.util.NestedServletException: Request processing failed; nested exception is org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction@f990386 in state 'clientAction' of flow 'login' -- action execution attributes were 'map[[empty]]'
In order to solve the problem we modified the class GenericOAuth20ProfileDefinition.java of pac4j-oauth-2.3.1.jar. We just set an id for the profile.
@Override
public OAuth20Profile extractUserProfile(String body) throws HttpAction {
final OAuth20Profile profile = new OAuth20Profile();
final JsonNode json = JsonHelper.getFirstNode(body, getFirstNodePath());
if (json != null) {
profile.setId(JsonHelper.getElement(json, "name"));
for (final String attribute : getPrimaryAttributes()) {
convertAndAdd(profile, attribute, JsonHelper.getElement(json, attribute));
}
for (final String attribute : getSecondaryAttributes()) {
convertAndAdd(profile, attribute, JsonHelper.getElement(json, attribute));
}
for (final Map.Entry<String, String> entry : getProfileAttributes().entrySet()) {
final String key = entry.getKey();
final String value = entry.getValue();
convertAndAdd(profile, key, JsonHelper.getElement(json, value));
}
}
return profile;
}
We think this is very ugly. Is there any other way to solve this problem without modifying pac4j source code ???
Thank you so much!
We succesfully configured CAS 5.2.2 to delegate authentication to an external provider through generic OAuth2 properties:
#(Optional) Friendly name for OAuth 2 provider, e.g. "This Organization" or "That Organization"
cas.authn.pac4j.oauth2[0].clientName=Giltza Oauth 2
cas.authn.pac4j.oauth2[0].id=xxx
cas.authn.pac4j.oauth2[0].secret=xxx
cas.authn.pac4j.oauth2[0].authUrl=https://eidasdes.izenpe.com:8082/trustedx-authserver/izenpe/oauth
cas.authn.pac4j.oauth2[0].tokenUrl=https://eidasdes.izenpe.com:8082/trustedx-authserver/izenpe/oauth/token
cas.authn.pac4j.oauth2[0].profileUrl=https://eidasdes.izenpe.com:8082/trustedx-resources/openid/v1/users/me
cas.authn.pac4j.oauth2[0].profileVerb=GET
#cas.authn.pac4j.oauth2[0].profilePath=
cas.authn.pac4j.oauth2[0].customParams.client_id=xxx
cas.authn.pac4j.oauth2[0].customParams.response_type=code
cas.authn.pac4j.oauth2[0].customParams.state=123456
cas.authn.pac4j.oauth2[0].customParams.acr_values=urn:safelayer:tws:policies:authentication:flow:bakq|urn:safelayer:tws:policies:authentication:flow:cert
cas.authn.pac4j.oauth2[0].customParams.scope=urn:izenpe:identity:global
cas.authn.pac4j.oauth2[0].profileAttrs.name=name
cas.authn.pac4j.oauth2[0].profileAttrs.surname1=surname1
cas.authn.pac4j.oauth2[0].profileAttrs.surname2=surname2
...
If we don't do anything else, the following error occurs:
[8/11/18 13:28:57:621 CET] 000000d3 SystemOut O 2018-11-08 13:28:57,611 DEBUG [org.pac4j.oauth.client.GenericOAuth20Client] - <profile: #OAuth20Profile# | id: null | attributes: {sub=978fa4ff4ea06ca1d39f35eb728b5a7e, cif=Q3890349H, country=ES, birthdate=EMPTY, key_usage=EMPTY, subject=SERIALNUMBER=99999988J, OID.2.5.4.4=#0C08464943544943494F, OID.2.5.4.42=#0C07434F5250524543, CN=CORPREC FICTICIO ACTIVO, OID.2.5.4.46=#131D2D646E692039393939393938384A202D63696620513338393033343948, OU=Condiciones de uso en www.izenpe.com nola erabili jakiteko, OU=Ziurtagiri korporatibo onartua - Cert. corporativo reconocido, O=IZENPE, C=ES, not_before=2017-03-16T12:15:29Z, tsl=S, issuer=CN=CA personal de AAPP vascas (2) - DESARROLLO, OU=AZZ Ziurtagiri publikoa - Certificado publico SCA, O=IZENPE S.A., C=ES, acr=urn:safelayer:tws:policies:authentication:flow:cert, surname1=FICTICIO, surname2=ACTIVO, email=EMPTY, dni=99999988J, tipoAfirma=0, firmaCualificada=S, naturalPersonSemanticsIdentifier=IDCES-99999988J, legalPersonSemanticsIdentifier=VATES-Q3890349H, serial_number=C6o=, given_name=CORPREC, pais=ES, not_after=2021-03-16T12:15:29Z, access_token=fc6ccaad705c4363cce28d89b7a3fd45897400c6134afd3c18d2d7a8bc8261a2, register_type=1, policy_identifier=1.3.6.1.4.1.14777.104.2, person_status=PF, domain=izenpe, organization=EMPTY, name=CORPREC FICTICIO ACTIVO, family_name=FICTICIO ACTIVO} | roles: [] | permissions: [] | isRemembered: false | clientName: null | linkedId: null |>
[8/11/18 13:28:57:621 CET] 000000d3 SystemOut O 2018-11-08 13:28:57,611 ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [org.apereo.cas.authentication.principal.ClientCredential@2cf6f06a[id=<null>]] of type [ClientCredential].>
[8/11/18 13:28:57:621 CET] 000000d3 SystemOut O 2018-11-08 13:28:57,616 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: null
WHAT: Supplied credentials: [org.apereo.cas.authentication.principal.ClientCredential@2cf6f06a[id=<null>]]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Thu Nov 08 13:28:57 CET 2018
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================
[8/11/18 13:28:57:629 CET] 000000d3 SystemOut O 2018-11-08 13:28:57,628 ERROR [com.ibm.ws.webcontainer.servlet.ServletWrapper] - <SRVE0014E: Uncaught service() exception root cause dispatcherServlet: org.springframework.web.util.NestedServletException: Request processing failed; nested exception is org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction@f990386 in state 'clientAction' of flow 'login' -- action execution attributes were 'map[[empty]]'
In order to solve the problem we modified the class GenericOAuth20ProfileDefinition.java of pac4j-oauth-2.3.1.jar. We just set an id for the profile.
@Override
public OAuth20Profile extractUserProfile(String body) throws HttpAction {
final OAuth20Profile profile = new OAuth20Profile();
final JsonNode json = JsonHelper.getFirstNode(body, getFirstNodePath());
if (json != null) {
profile.setId(JsonHelper.getElement(json, "name"));
for (final String attribute : getPrimaryAttributes()) {
convertAndAdd(profile, attribute, JsonHelper.getElement(json, attribute));
}
for (final String attribute : getSecondaryAttributes()) {
convertAndAdd(profile, attribute, JsonHelper.getElement(json, attribute));
}
for (final Map.Entry<String, String> entry : getProfileAttributes().entrySet()) {
final String key = entry.getKey();
final String value = entry.getValue();
convertAndAdd(profile, key, JsonHelper.getElement(json, value));
}
}
return profile;
}
We think this is very ugly. Is there any other way to solve this problem without modifying pac4j source code ???
Thank you so much!
Jérôme LELEU
Nov 8, 2018, 9:09:24 AM11/8/18
to cas-...@apereo.org
Hi,
Since pac4j v3.2, you can set the element to use as the identifier: http://www.pac4j.org/docs/release-notes.html
Unfortunately, CAS v5.2.2 is still based on pac4j v2.x. So the right version to use would be the version 5.3.x, given the fact the profileId could be set by properties (it's an easy improvement though).
Thanks.
Best regards,
Jérôme
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/04383633-87ab-46ec-abda-70daee84928c%40apereo.org.
David Oteo
Nov 8, 2018, 9:43:39 AM11/8/18
to CAS Community
Hi,
Thank you for the quick response. We will try with version 5.3.x.
By the way, in our case access token has to be sent as header. We see that pac4j v2.x already allows to choose this option:
@Override
protected void signRequest(final OAuth2AccessToken accessToken, final OAuthRequest request) {
this.configuration.getService().signRequest(accessToken, request);
if (this.configuration.isTokenAsHeader()) {
request.addHeader(HttpConstants.AUTHORIZATION_HEADER, HttpConstants.BEARER_HEADER_PREFIX + accessToken.getAccessToken());
}
if (Verb.POST.equals(request.getVerb())) {
request.addParameter(OAuthConfiguration.OAUTH_TOKEN, accessToken.getAccessToken());
}
}
Is it possible to configure this in the CAS properties or elsewhere? Right now we are modifying the code too :-(
Regards,
David.
Thank you for the quick response. We will try with version 5.3.x.
By the way, in our case access token has to be sent as header. We see that pac4j v2.x already allows to choose this option:
@Override
protected void signRequest(final OAuth2AccessToken accessToken, final OAuthRequest request) {
this.configuration.getService().signRequest(accessToken, request);
if (this.configuration.isTokenAsHeader()) {
request.addHeader(HttpConstants.AUTHORIZATION_HEADER, HttpConstants.BEARER_HEADER_PREFIX + accessToken.getAccessToken());
}
if (Verb.POST.equals(request.getVerb())) {
request.addParameter(OAuthConfiguration.OAUTH_TOKEN, accessToken.getAccessToken());
}
}
Is it possible to configure this in the CAS properties or elsewhere? Right now we are modifying the code too :-(
Regards,
David.
Jérôme LELEU
Nov 8, 2018, 10:00:57 AM11/8/18
to cas-...@apereo.org
Hi,
I don't think so. Exposing these two pac4j capabilities should not be too complicated for your first contributions ;-)
Thanks.
Best regards,
Jérôme
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7ac25696-ecd8-4909-8551-1b291ed47783%40apereo.org.
Reply all
Reply to author
Forward
0 new messages