Hi all, I have found an issue with Delegated Authentication in CAS 6.2.x branch (Latest one, 6.2.6).
After login, I found that the UserProfile is not returned after loging in using Deleagted Authentication, below is an example using Google as 3rd party idp. ====================================================== 2020-12-07 10:39:03,817 ERROR [org.apereo.cas.authentication.PolicyBasedAuthent icationManager] - Authentication has failed. Credentials may be incorrect or CA S cannot find authentication handler that supports [ClientCredential(credential s=#OAuth20Credentials# | code: 4/0AY0e-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Qm0vSNOo732s6zvIqkTjepvcw | accessToken: com.github.scribejava.apis.openid.Open IdOAuth2AccessToken@f1986644 |, clientName=GoogleProvider, typedIdUsed=true, us erProfile=null)] of type [ClientCredential]. Examine the configuration to ensur e a method of authentication is defined and analyze CAS logs at DEBUG level to trace the authentication event. 2020-12-07 10:39:03,818 ERROR [org.apereo.cas.authentication.PolicyBasedAuthent icationManager] - [DelegatedClientAuthenticationHandler]: [*Unable to fe* *tch user profile*] ====================================================== After some digging, I found that if I add the following in `DelegatedClientAuthenticationAction`, the userprofile can be fetch and login can proceed like normal: https://github.com/apereo/cas/blob/v6.2.6/support/cas-server-support-pac4j-webflow/src/main/java/org/apereo/cas/web/flow/DelegatedClientAuthenticationAction.java#L228 DelegatedClientAuthenticationAction: ==================== /** * Add in user profile to clientCredential if not existent from credentials * * @param client the client * @param webContext the web context * @param requestContext the request context */ @Override protected void populateContextWithClientCredential(final BaseClient<Credentials> client, final JEEContext webContext, final RequestContext requestContext) { LOGGER.debug("Fetching credentials from delegated client [{}]", client); val credentials = getCredentialsFromDelegatedClient(webContext, client); val clientCredential = new ClientCredential(credentials, client.getName()); // Customization: Add user profile from credential to clientCredential Optional<UserProfile> userProfile = client.getProfileCreator().create(credentials, webContext); if(userProfile.isPresent()){ CommonProfile commonProfile = (CommonProfile) userProfile.get(); clientCredential.setUserProfile(commonProfile); } // Customization: Add user profile from credential to clientCredential END LOGGER.info("Credentials are successfully authenticated using the delegated client [{}]", client.getName()); WebUtils.putCredential(requestContext, clientCredential); } ====================== Our Delegated Authentication flow is heavily customized, so it is possible this is an issue from our customization. However if others have encountered similar issue, it might be an bug and need fixing. See if this is an board issue. Thanks! Cheers! - Andy -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7031e102-f69f-4c5e-913a-bf99750b1a01n%40apereo.org.