[cas-user] pac4j Google2Client auth delegation: How to unauthorize a profile?

Tue, 23 Jan 2018 07:10:44 -0800 

Hi!

I'm migrating from CAS 4.0.5 to 5.2.1 and everything has gone perfect but 
I'm facing a problem with the Google OAuth authentication.

I have configured a delegate authentication to Google with pac4j 
successfully but I need to make a modification, only allow the emails which 
end with *@companyname.com *(I do agree that this kind of things should not 
be done at CAS because this is about authorization and not authentication, 
but I have to)

I have added a new AuthorizationGenerator to the Google2Client instance so, 
after the retrieve the user profile with the *Google2ProfileDefinition *class, 
I make my validation and in case that the user email is not a valid one, I 
set the profile identifier no blank. The blank identifier causes a 
*FailedLoginException 
*at *AbstractPac4jAuthenticationHandler.*

Everything seems to work fine but finally, I get the following exception 
and the CAS error page is shown.
 

2018-01-23 15:58:48,581 DEBUG 
> [org.pac4j.oauth.profile.creator.OAuth20ProfileCreator] - <add 
> access_token: ya29.Glx....... to profile>
> 2018-01-23 15:58:48,581 DEBUG 
> [org.pac4j.oauth.profile.google2.Google2Profile] - <adding => key: 
> access_token / value:XXX-XXX / class java.lang.String>
> 2018-01-23 15:58:48,581 DEBUG [org.pac4j.oauth.client.Google2Client] - 
> <profile: #Google2Profile# | id: 112368488543222222114 | attributes: 
> {name.familyName=del Pozo, 
> emails=[org.pac4j.oauth.profile.google2.Google2Email@64f6a901], 
> access_token=..., gender=MALE, displayName=Oscar del Pozo, 
> name.givenName=Oscar, ... |>
> 2018-01-23 15:58:49,599 WARN 
> [org.apereo.cas.support.pac4j.oauth.MyProfileAuthorizationGenerator] 
> - <Invalid user email>
> 2018-01-23 15:58:49,599 DEBUG 
> [org.pac4j.oauth.profile.google2.Google2Profile] 
> - <identifier: >
> 2018-01-23 15:58:51,789 ERROR 
> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
> <Authentication has failed. Credentials may be incorrect or CAS cannot find 
> authentication handler that supports 
> [org.apereo.cas.authentication.principal.ClientCredential@2f8fc6b0[id=<null>]]
>  
> of type [ClientCredential].>
> 2018-01-23 15:58:53,216 INFO 
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit 
> trail record BEGIN
> =============================================================
> WHO: null
> WHAT: Supplied credentials: 
> [org.apereo.cas.authentication.principal.ClientCredential@2f8fc6b0[id=<null>]]
> ACTION: AUTHENTICATION_SUCCESS   (This is a reported bug, the 
> authentication has actually failed: 
> https://github.com/apereo/inspektr/pull/10)
> APPLICATION: CAS
> WHEN: Tue Jan 23 15:58:53 CET 2018
> CLIENT IP ADDRESS: 192.168.56.1
> SERVER IP ADDRESS: 192.168.56.1
> =============================================================
> >
> 2018-01-23 15:58:53,247 ERROR 
> [org.springframework.boot.web.support.ErrorPageFilter] - <Forwarding to 
> error page from request [/login] due to exception [Exception thrown 
> executing 
> org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction@848f27e
>  
> in state 'clientAction' of flow 'login' -- action execution attributes were 
> 'map[[empty]]']>

        at 
> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:60)
>  
> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>         at 
> org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)
>  
> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>         at 
> org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
>  
> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] 
> [...]
> Caused by: org.apereo.cas.authentication.AuthenticationException: 1 
> errors, 0 successes
> at 
> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.evaluateFinalAuthentication(PolicyBasedAuthenticationManager.java:400)
>  
> ~[cas-server-core-authentication-5.2.1.jar:5.2.1]
> at 
> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticateInternal(PolicyBasedAuthenticationManager.java:380)
>  
> ~[cas-server-core-authentication-5.2.1.jar:5.2.1]
> at 
> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticate(PolicyBasedAuthenticationManager.java:220)
>  
> ~[cas-server-core-authentication-5.2.1.jar:5.2.1]



Is my approach correct?. Is it possible to do not show this CAS error and 
go to the 403 view?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b4a8894e-1672-4c52-84e4-707f517454af%40apereo.org.

Reply via email to