Steam OpenId2 auth
421 views
Skip to first unread message
FritzTheWonderMutt
Jan 11, 2018, 12:19:36 PM1/11/18
to CAS Community
I need to add Steam auth to our CAS 5.1.7 implementation, but Steam only offers OpenId2.
I see that the Pac4j code has an older Yahoo OpenId client that I could use as a template:
And i found that on line 414 of org.apereo.cas.support.pac4j.config.support.authentication.Pac4jAuthenticationEventExecutionPlanConfiguration the clients are built and added to the ClientAuthenticationHandler.
The question is, what is the best way to add a new OpenId2
client into the pac4j ClientAuthenticationHandler.clients?
Jérôme LELEU
Jan 12, 2018, 8:54:02 AM1/12/18
to CAS Community
Hi,
I would create a configuration class (@Configuration), autowire the "builtClients" bean inside it and at initialization (@PostContruct), add your new client: builtClients.getClients().add(newclient).
You can even submit your new client as a contribution to the pac4j library.
Thanks.
Best regards,
Jérôme
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ca2f7c49-14d7-461c-94d8-3b04baa7b5b2%40apereo.org.
Message has been deleted
FritzTheWonderMutt
Jan 16, 2018, 2:11:43 PM1/16/18
to CAS Community
So, that reply got deleted. I'll try to be less verbose this time.
Yes, adding the new client to the builtClients works, but you have to call reinit() on the builtClients after the add.
You will also need to register a org.apereo.cas.support.pac4j.authentication.handler.support.ClientAuthenticationHandler on the AuthenticationEventExecutionPlan to be able to authenticate the returned ClientCredential.
Thanks for your help.
Yes, adding the new client to the builtClients works, but you have to call reinit() on the builtClients after the add.
You will also need to register a org.apereo.cas.support.pac4j.authentication.handler.support.ClientAuthenticationHandler on the AuthenticationEventExecutionPlan to be able to authenticate the returned ClientCredential.
Thanks for your help.
Jérôme LELEU
Jan 17, 2018, 4:53:02 AM1/17/18
to CAS Community
Hi,
Can you do some debugging in the ClientAuthenticationHandler to see how the login process finishes?
Thanks.
Best regards,
Jérôme
On Fri, Jan 12, 2018 at 11:17 PM, FritzTheWonderMutt <fritzthew...@gmail.com> wrote:
You are my new hero!
A few things to note...
You have to call reinit() on the builtClients after you add the new client. It looks like this:
@Autowired
Clients builtClients;
@PostConstruct
public void addSteamOpenIdClient() {
builtClients.getClients().add(new SteamOpenIdClient());
builtClients.reinit();
}
The SteamOpenIdClient and supporting code is a straight one-to-one rip-off of the old YahooOpenIdClient in the pac4j-openid project with the following exception.
The RedirectActionBuilder gets the Steam endpoint and you turn off association attempts and attribute data fetch per this discussion:
https://github.com/jbufu/openid4java/issues/192
Looks like this:
public class SteamRedirectActionBuilder implements RedirectActionBuilder {
private static final Logger logger = LoggerFactory.getLogger(SteamRedirectActionBuilder.class);
private static final String STEAM_OPENID_ENDPOINT = "https://steamcommunity.com/openid/";
private SteamOpenIdClient client;
public SteamRedirectActionBuilder(final SteamOpenIdClient client) {
CommonHelper.assertNotNull("client", client);
this.client = client;
}
@Override
public RedirectAction redirect(final WebContext context) throws HttpAction {
try {
// perform discovery on the user-supplied identifier
final List discoveries = this.client.getConsumerManager().discover(STEAM_OPENID_ENDPOINT);
// attempt to associate with the OpenID provider
// and retrieve one service endpoint for authentication
this.client.getConsumerManager().setMaxAssocAttempts(0);
final DiscoveryInformation discoveryInformation = this.client.getConsumerManager().associate(discoveries);
// save discovery information in session
context.setSessionAttribute(this.client.getDiscoveryInformationSessionAttributeName(), discoveryInformation);
// create authentication request to be sent to the OpenID provider
final AuthRequest authRequest = this.client.getConsumerManager().authenticate(discoveryInformation,
this.client.computeFinalCallbackUrl(context));
final String redirectionUrl = authRequest.getDestinationUrl(true);
logger.debug("redirectionUrl: {}", redirectionUrl);
return RedirectAction.redirect(redirectionUrl);
} catch (final OpenIDException e) {
throw new TechnicalException("OpenID exception", e);
}
}
}
Add steam to the loginProviders.html template fragment...
<span th:case="steamopenid" class="fa fa-openid"></span>
And that will get you a button on the login page that will send you through the Steam auth flow.
Next Problem:
When you return to CAS from Steam all the OpenId auth works correctly, but Authentication fails. I think CAS doesn't know what to do with a OpenIdCredentials maybe? Actual SteamId is at the end of the openid.claimed_id field.
01-12 13:07:39 DEBUG flow.DelegatedClientAuthenticationAction - Retrieved credentials: [#OpenIdCredentials# | discoveryInformation: OpenID2
OP-endpoint:https://steamcommunity.com/openid/login
ClaimedID:null
Delegate:null | parameterList: client_name:SteamOpenIdClient
openid.ns:http://specs.openid.net/auth/2.0
openid.mode:id_res
openid.op_endpoint:https://steamcommunity.com/openid/login
openid.claimed_id:http://steamcommunity.com/openid/id/1234123412341234
openid.identity:http://steamcommunity.com/openid/id/1234123412341234
openid.return_to:https://auth-test.daybreakgames.com/login?client_name=SteamOpenIdClient
openid.response_nonce:2018-01-12T21:07:18ZcPA3u0qpRI9mztuzYk/0SRwwTUU=
openid.assoc_handle:1234567890
openid.signed:signed,op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle
openid.sig:g5gKyXlD+B+Vd4k58VulQPlLYzk=
| clientName: SteamOpenIdClient |]
01-12 13:07:39 DEBUG flow.DelegatedClientAuthenticationAction - Retrieve service: [null]
01-12 13:07:39 WARN authentication.PolicyBasedAuthenticationManager - Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [org.apereo.cas.authentication.principal.ClientCredential@752bf076[id=<null>]] of type [ClientCredential], which suggests a configuration problem.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/34f64af8-8c93-4cd9-b5e2-15f72d3a4506%40apereo.org.
FritzTheWonderMutt
Jan 17, 2018, 5:30:32 PM1/17/18
to CAS Community
This works:
@Autowired
Clients builtClients;
@PostConstruct
public void addSteamOpenIdClient() {
builtClients.getClients().add(new SteamOpenIdClient());
builtClients.reinit();
}
@Bean
public AuthenticationHandler openIDAuthenticationHandler(final AuthenticationEventExecutionPlan plan) {
final ClientAuthenticationHandler handler = new ClientAuthenticationHandler("OpenIdClientAuthHandler", servicesManager, new DefaultPrincipalFactory(), builtClients);
plan.registerAuthenticationHandler(handler);
return handler;
}
public AuthenticationHandler openIDAuthenticationHandler(final AuthenticationEventExecutionPlan plan) {
final ClientAuthenticationHandler handler = new ClientAuthenticationHandler("OpenIdClientAuthHandler", servicesManager, new DefaultPrincipalFactory(), builtClients);
plan.registerAuthenticationHandler(handler);
return handler;
}
But it does return the whole url as the ID so you'll have to pull out the SteamId from the end:
01-17 14:22:39 DEBUG support.ClientAuthenticationHandler - clientCredentials [org.apereo.cas.authentication.principal.ClientCredential@3a86ccf3[id=<null>]]
01-17 14:22:39 DEBUG support.ClientAuthenticationHandler - clientName: [SteamOpenIdClient]
01-17 14:22:39 DEBUG support.ClientAuthenticationHandler - client: [#SteamOpenIdClient# | name: SteamOpenIdClient | callbackUrl: https://auth-test.daybreakgames.com/login?client_name=SteamOpenIdClient | urlResolver: org.pac4j.core.http.DefaultUrlResolver@281e917c | ajaxRequestResolver: org.pac4j.core.http.DefaultAjaxRequestResolver@5079ce36 | includeClientNameInCallbackUrl: true | redirectActionBuilder: com.dgc.plat.cas.steam.SteamRedirectActionBuilder@42012006 | credentialsExtractor: com.dgc.plat.cas.steam.SteamCredentialsExtractor@588ce794 | authenticator: com.dgc.plat.cas.steam.SteamAuthenticator@4451888 | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@1ad37e48 | logoutActionBuilder: org.pac4j.core.logout.NoLogoutActionBuilder@51196c04 | authorizationGenerators: [] |]
01-17 14:22:39 DEBUG support.ClientAuthenticationHandler - userProfile: [#SteamOpenIdProfile# | id: http://steamcommunity.com/openid/id/1234567890 | attributes: {} | roles: [] | permissions: [] | isRemembered: false | clientName: SteamOpenIdClient | linkedId: null |]
01-17 14:22:39 DEBUG authentication.AbstractAuthenticationManager - Authentication handler [OpenIdClientAuthHandler] successfully authenticated [org.apereo.cas.authentication.principal.ClientCredential@3a86ccf3[id=http://steamcommunity.com/openid/id/1234567890]]
01-17 14:22:39 DEBUG authentication.AbstractAuthenticationManager - No principal resolution is configured for [OpenIdClientAuthHandler]. Falling back to handler principal [http://steamcommunity.com/openid/id/1234567890]
01-17 14:22:39 DEBUG authentication.AbstractAuthenticationManager - Final principal resolved for this authentication event is [http://steamcommunity.com/openid/id/1234567890]
01-17 14:22:39 DEBUG policy.AnyAuthenticationPolicy - Authentication policy is satisfied having found at least one authentication transactions
01-17 14:22:39 INFO authentication.AbstractAuthenticationManager - Authenticated principal [http://steamcommunity.com/openid/id/1234567890] with attributes [{}] via credentials [[org.apereo.cas.authentication.principal.ClientCredential@3a86ccf3[id=http://steamcommunity.com/openid/id/1234567890]]].
01-17 14:22:39 DEBUG authentication.AbstractAuthenticationManager - Invoking authentication metadata populators for authentication transaction
01-17 14:22:39 DEBUG support.ClientAuthenticationHandler - clientName: [SteamOpenIdClient]
01-17 14:22:39 DEBUG support.ClientAuthenticationHandler - client: [#SteamOpenIdClient# | name: SteamOpenIdClient | callbackUrl: https://auth-test.daybreakgames.com/login?client_name=SteamOpenIdClient | urlResolver: org.pac4j.core.http.DefaultUrlResolver@281e917c | ajaxRequestResolver: org.pac4j.core.http.DefaultAjaxRequestResolver@5079ce36 | includeClientNameInCallbackUrl: true | redirectActionBuilder: com.dgc.plat.cas.steam.SteamRedirectActionBuilder@42012006 | credentialsExtractor: com.dgc.plat.cas.steam.SteamCredentialsExtractor@588ce794 | authenticator: com.dgc.plat.cas.steam.SteamAuthenticator@4451888 | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@1ad37e48 | logoutActionBuilder: org.pac4j.core.logout.NoLogoutActionBuilder@51196c04 | authorizationGenerators: [] |]
01-17 14:22:39 DEBUG support.ClientAuthenticationHandler - userProfile: [#SteamOpenIdProfile# | id: http://steamcommunity.com/openid/id/1234567890 | attributes: {} | roles: [] | permissions: [] | isRemembered: false | clientName: SteamOpenIdClient | linkedId: null |]
01-17 14:22:39 DEBUG authentication.AbstractAuthenticationManager - Authentication handler [OpenIdClientAuthHandler] successfully authenticated [org.apereo.cas.authentication.principal.ClientCredential@3a86ccf3[id=http://steamcommunity.com/openid/id/1234567890]]
01-17 14:22:39 DEBUG authentication.AbstractAuthenticationManager - No principal resolution is configured for [OpenIdClientAuthHandler]. Falling back to handler principal [http://steamcommunity.com/openid/id/1234567890]
01-17 14:22:39 DEBUG authentication.AbstractAuthenticationManager - Final principal resolved for this authentication event is [http://steamcommunity.com/openid/id/1234567890]
01-17 14:22:39 DEBUG policy.AnyAuthenticationPolicy - Authentication policy is satisfied having found at least one authentication transactions
01-17 14:22:39 INFO authentication.AbstractAuthenticationManager - Authenticated principal [http://steamcommunity.com/openid/id/1234567890] with attributes [{}] via credentials [[org.apereo.cas.authentication.principal.ClientCredential@3a86ccf3[id=http://steamcommunity.com/openid/id/1234567890]]].
01-17 14:22:39 DEBUG authentication.AbstractAuthenticationManager - Invoking authentication metadata populators for authentication transaction
Jérôme LELEU
Jan 18, 2018, 9:28:19 AM1/18/18
to CAS Community
Hi,
I guess it depends on the way you built your SteamOpenIdClient, but in pac4j you can control which attribute is used for the identifier.
Thanks.
Best regards,
Jérôme
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/edc77f19-4b1f-4e06-86c2-cd009dcff0a2%40apereo.org.
FritzTheWonderMutt
Jan 18, 2018, 12:12:15 PM1/18/18
to CAS Community
That's just the way Steam returns the steamId per their doc:
https://partner.steamgames.com/doc/features/auth#website
So at some point you'd need to strip it off the end. I ended up extending ClientAuthenticationHandler to do some extra work so I pull out the steamId there.
https://partner.steamgames.com/doc/features/auth#website
So at some point you'd need to strip it off the end. I ended up extending ClientAuthenticationHandler to do some extra work so I pull out the steamId there.
Jérôme LELEU
Jan 19, 2018, 10:00:40 AM1/19/18
to CAS Community
OK. I guess you could have achieved the same result with a specific pac4j ProfileDefinition configuration...
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/57b68256-ba57-40ef-9a72-a68c454feb04%40apereo.org.
FritzTheWonderMutt
Jan 19, 2018, 2:47:06 PM1/19/18
to CAS Community
The one with your name on it? ;D
You're right, that's a much better place for it.
Thanks.
You're right, that's a much better place for it.
Thanks.
Jérôme LELEU
Jan 22, 2018, 4:16:21 AM1/22/18
to CAS Community
And feel free to contribute your Steam client to the pac4j project if you have time...
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a4ac454f-023c-4c82-9687-448857db7d7d%40apereo.org.
Reply all
Reply to author
Forward
0 new messages