Hello Oscar, This is an example of one possible solution: Our cas project (based on cas-4.0.x), uses Delegated Authentication (Facebook/Google/Twitter) to perform "one click" SignUp/SignIn. We use a custom auth handler that uses the attributes (email, first_name, surname) returned by Facebook/Google/Twitter to either: a) SignIn user if user with that email exist in the system already, OR b) SignUp create the user in our system, and proceed to SignIn
So at that point in the code where we are receiving/processing the email address returned by Facebook/Google/Twitter: https://github.com/AtlasOfLivingAustralia/ala-cas-2.0/blob/master/src/main/java/org/jasig/cas/support/pac4j/authentication/handler/support/ALAClientAuthenticationHandler.java#L121 one could do the type of filtering you want: a) hardcode it there b) externalize the email validation/check regexp into some properties/config file so c) fast/phugly/hack do the filtering in your LDAP, SQL query, etc. regards, martin On Wednesday, January 24, 2018 at 2:10:34 AM UTC+11, Oscar del Pozo wrote: > > Hi! > > I'm migrating from CAS 4.0.5 to 5.2.1 and everything has gone perfect but > I'm facing a problem with the Google OAuth authentication. > > I have configured a delegate authentication to Google with pac4j > successfully but I need to make a modification, only allow the emails which > end with *@companyname.com <http://companyname.com> *(I do agree that > this kind of things should not be done at CAS because this is about > authorization and not authentication, but I have to) > > I have added a new AuthorizationGenerator to the Google2Client instance > so, after the retrieve the user profile with the *Google2ProfileDefinition > *class, I make my validation and in case that the user email is not a > valid one, I set the profile identifier no blank. The blank > identifier causes a *FailedLoginException *at > *AbstractPac4jAuthenticationHandler.* > > Everything seems to work fine but finally, I get the following exception > and the CAS error page is shown. > > > 2018-01-23 15:58:48,581 DEBUG >> [org.pac4j.oauth.profile.creator.OAuth20ProfileCreator] - <add >> access_token: ya29.Glx....... to profile> >> 2018-01-23 15:58:48,581 DEBUG >> [org.pac4j.oauth.profile.google2.Google2Profile] - <adding => key: >> access_token / value:XXX-XXX / class java.lang.String> >> 2018-01-23 15:58:48,581 DEBUG [org.pac4j.oauth.client.Google2Client] - >> <profile: #Google2Profile# | id: 112368488543222222114 | attributes: >> {name.familyName=del Pozo, >> emails=[org.pac4j.oauth.profile.google2.Google2Email@64f6a901], >> access_token=..., gender=MALE, displayName=Oscar del Pozo, >> name.givenName=Oscar, ... |> >> 2018-01-23 15:58:49,599 WARN >> [org.apereo.cas.support.pac4j.oauth.MyProfileAuthorizationGenerator] >> - <Invalid user email> >> 2018-01-23 15:58:49,599 DEBUG >> [org.pac4j.oauth.profile.google2.Google2Profile] >> - <identifier: > >> 2018-01-23 15:58:51,789 ERROR >> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - >> <Authentication has failed. Credentials may be incorrect or CAS cannot find >> authentication handler that supports >> [org.apereo.cas.authentication.principal.ClientCredential@2f8fc6b0[id=<null>]] >> >> of type [ClientCredential].> >> 2018-01-23 15:58:53,216 INFO >> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit >> trail record BEGIN >> ============================================================= >> WHO: null >> WHAT: Supplied credentials: >> [org.apereo.cas.authentication.principal.ClientCredential@2f8fc6b0[id=<null>]] >> ACTION: AUTHENTICATION_SUCCESS (This is a reported bug, the >> authentication has actually failed: >> https://github.com/apereo/inspektr/pull/10) >> APPLICATION: CAS >> WHEN: Tue Jan 23 15:58:53 CET 2018 >> CLIENT IP ADDRESS: 192.168.56.1 >> SERVER IP ADDRESS: 192.168.56.1 >> ============================================================= >> > >> 2018-01-23 15:58:53,247 ERROR >> [org.springframework.boot.web.support.ErrorPageFilter] - <Forwarding to >> error page from request [/login] due to exception [Exception thrown >> executing >> org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction@848f27e >> >> in state 'clientAction' of flow 'login' -- action execution attributes were >> 'map[[empty]]']> > > at >> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:60) >> >> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] >> at >> org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77) >> >> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] >> at >> org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) >> >> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] >> [...] >> Caused by: org.apereo.cas.authentication.AuthenticationException: 1 >> errors, 0 successes >> at >> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.evaluateFinalAuthentication(PolicyBasedAuthenticationManager.java:400) >> >> ~[cas-server-core-authentication-5.2.1.jar:5.2.1] >> at >> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticateInternal(PolicyBasedAuthenticationManager.java:380) >> >> ~[cas-server-core-authentication-5.2.1.jar:5.2.1] >> at >> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticate(PolicyBasedAuthenticationManager.java:220) >> >> ~[cas-server-core-authentication-5.2.1.jar:5.2.1] > > > > Is my approach correct?. Is it possible to do not show this CAS error and > go to the 403 view? > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/35efe7a1-7d3d-457f-9086-e582ab344b92%40apereo.org.
