Unable to fetch user profile from Delegated Authentication in CAS 6.2.x

[Andy Ng]

Hi all,

I have found an issue with Delegated Authentication in CAS 6.2.x branch (Latest one, 6.2.6).

After login, I found that the UserProfile is not returned after loging in using Deleagted Authentication, below is an example using Google as 3rd party idp.

======================================================

2020-12-07 10:39:03,817 ERROR [org.apereo.cas.authentication.PolicyBasedAuthent

icationManager] - Authentication has failed. Credentials may be incorrect or CA

S cannot find authentication handler that supports [ClientCredential(credential

s=#OAuth20Credentials# | code: 4/0AY0e-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Qm0vSNOo732s6zvIqkTjepvcw | accessToken: com.github.scribejava.apis.openid.Open

IdOAuth2AccessToken@f1986644 |, clientName=GoogleProvider, typedIdUsed=true, us

erProfile=null)] of type [ClientCredential]. Examine the configuration to ensur

e a method of authentication is defined and analyze CAS logs at DEBUG level to

trace the authentication event.

2020-12-07 10:39:03,818 ERROR [org.apereo.cas.authentication.PolicyBasedAuthent

icationManager] - [DelegatedClientAuthenticationHandler]: [Unable to fe

tch user profile]

======================================================

After some digging, I found that if I add the following in `DelegatedClientAuthenticationAction`, the userprofile can be fetch and login can proceed like normal:

https://github.com/apereo/cas/blob/v6.2.6/support/cas-server-support-pac4j-webflow/src/main/java/org/apereo/cas/web/flow/DelegatedClientAuthenticationAction.java#L228

DelegatedClientAuthenticationAction:
====================

    /**

     * Add in user profile to clientCredential if not existent from credentials

     *

     * @param client         the client

     * @param webContext     the web context

     * @param requestContext the request context

     */

    @Override

    protected void populateContextWithClientCredential(final BaseClient<Credentials> client, final JEEContext webContext,

                                                       final RequestContext requestContext) {

        LOGGER.debug("Fetching credentials from delegated client [{}]", client);

        val credentials = getCredentialsFromDelegatedClient(webContext, client);

        val clientCredential = new ClientCredential(credentials, client.getName());

        // Customization: Add user profile from credential to clientCredential

        Optional<UserProfile> userProfile = client.getProfileCreator().create(credentials, webContext);

        if(userProfile.isPresent()){

            CommonProfile commonProfile = (CommonProfile) userProfile.get();

            clientCredential.setUserProfile(commonProfile);

        }

        // Customization: Add user profile from credential to clientCredential END

        LOGGER.info("Credentials are successfully authenticated using the delegated client [{}]", client.getName());

        WebUtils.putCredential(requestContext, clientCredential);

    }

======================

Our Delegated Authentication flow is heavily customized, so it is possible this is an issue from our customization. 

However if others have encountered similar issue, it might be an bug and need fixing. See if this is an board issue.

Thanks!

Cheers!

- Andy