Folks, Since we've installed our new cas v6.3.0 with MFA (gauth or u2f), we've ran into a strange issue : - TOTP registering works fine, first check of TOTP code is verified ok (a bad code is rejected, as expected) - TOTP input before accessing a service is asked, but whatever numerical input can be sent, it will always be accepted ??
In other words : Google authenticator TOTP does not work for us.
I've set trace level on org.apereo.cas.gauth package, then used 1234 as
TOTP token (expected tokens are 6 digit long) :
2021-03-09 20:59:30,214 DEBUG
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<Attempting authentication of [1234] using
[GoogleAuthenticatorAuthenticationHandler]>
2021-03-09 20:59:30,215 TRACE
[org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator]
- <Received OTP [1234] assigned to account [1614873350660]>
2021-03-09 20:59:30,215 TRACE
[org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator]
- <Received principal id [testuser]. Attempting to locate account in
credential repository...>
2021-03-09 20:59:30,215 TRACE
[org.apereo.cas.gauth.credential.RedisGoogleAuthenticatorTokenCredentialRepository]
- <Fetching Google Authenticator records based on key
[RedisGoogleAuthenticatorTokenCredentialRepository:testuser:*]>
2021-03-09 20:59:30,218 TRACE
[org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator]
- <Attempting to locate OTP token [1234] in token repository for
[testuser]...>
2021-03-09 20:59:30,219 TRACE
[org.apereo.cas.gauth.token.GoogleAuthenticatorRedisTokenRepository] -
<Locating token by identifier [testuser] using key
[GoogleAuthenticatorRedisTokenRepository:testuser:1234]>
2021-03-09 20:59:30,220 DEBUG
[org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator]
- <Attempting to authorize OTP token [1234]...>
2021-03-09 20:59:30,232 DEBUG
[org.apereo.cas.gauth.GoogleAuthenticatorAuthenticationHandler] -
<Validated OTP token [OneTimeToken(id=1615319970224, token=1234,
userId=testuser, issuedDateTime=2021-03-09T20:59:30.224663)]
successfully for [testuser]>
2021-03-09 20:59:30,232 TRACE
[org.apereo.cas.gauth.token.GoogleAuthenticatorRedisTokenRepository] -
<Saving token [OneTimeToken(id=1615319970224, token=1234,
userId=testuser, issuedDateTime=2021-03-09T20:59:30.224663)] using key
[GoogleAuthenticatorRedisTokenRepository:testuser:1234]>
2021-03-09 20:59:30,281 TRACE
[org.apereo.cas.gauth.token.GoogleAuthenticatorRedisTokenRepository] -
<Saved token [OneTimeToken(id=1615319970224, token=1234,
userId=testuser, issuedDateTime=2021-03-09T20:59:30.224663)]>
2021-03-09 20:59:30,282 DEBUG
[org.apereo.cas.gauth.GoogleAuthenticatorAuthenticationHandler] -
<Creating authentication result and building principal for [testuser]>
2021-03-09 20:59:30,282 DEBUG
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<Authentication handler [GoogleAuthenticatorAuthenticationHandler]
successfully authenticated
[GoogleAuthenticatorTokenCredential(super=OneTimeTokenCredential(token=1234),
accountId=1614873350660)]>
our dependencies :
dependencies {
implementation
"org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-reports:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-u2f:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-u2f-redis:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-gauth:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-gauth-redis:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-saml:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-redis-ticket-registry:${project.'cas.version'}"
}
And relevant configuation in cas.properties :
cas.authn.mfa.gauth.code-digits=6
cas.authn.mfa.gauth.time-step-size=30
cas.authn.mfa.gauth.rank=2
Any idea ?
Regards.
--
Philippe MARASSE
Responsable pôle Infrastructures - DSIO
Centre Hospitalier Henri Laborit
CS 10587 - 370 avenue Jacques Cœur
86021 Poitiers Cedex
Tel : 05.49.44.57.19
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc1587ac-f726-9fc1-00fb-bf37260690c0%40ch-poitiers.fr.
smime.p7s
Description: Signature cryptographique S/MIME
