Hi Philippe, it seems that gauth validation, is now fixed ( https://github.com/apereo/cas/commit/e7cb3b8b44867addcb6b8510cbbed45cbc9b265f ).
Pavlos On Tue, Mar 9, 2021 at 10:19 PM 'Philippe MARASSE' via CAS Community < [email protected]> wrote: > Folks, > > Since we've installed our new cas v6.3.0 with MFA (gauth or u2f), we've > ran into a strange issue : > - TOTP registering works fine, first check of TOTP code is verified ok > (a bad code is rejected, as expected) > - TOTP input before accessing a service is asked, but whatever > numerical input can be sent, it will always be accepted ?? > > In other words : Google authenticator TOTP does not work for us. > > I've set trace level on org.apereo.cas.gauth package, then used 1234 as > TOTP token (expected tokens are 6 digit long) : > > 2021-03-09 20:59:30,214 DEBUG > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > <Attempting authentication of [1234] using > [GoogleAuthenticatorAuthenticationHandler]> > 2021-03-09 20:59:30,215 TRACE > > [org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator] > - <Received OTP [1234] assigned to account [1614873350660]> > 2021-03-09 20:59:30,215 TRACE > > [org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator] > - <Received principal id [testuser]. Attempting to locate account in > credential repository...> > 2021-03-09 20:59:30,215 TRACE > > [org.apereo.cas.gauth.credential.RedisGoogleAuthenticatorTokenCredentialRepository] > - <Fetching Google Authenticator records based on key > [RedisGoogleAuthenticatorTokenCredentialRepository:testuser:*]> > 2021-03-09 20:59:30,218 TRACE > > [org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator] > - <Attempting to locate OTP token [1234] in token repository for > [testuser]...> > 2021-03-09 20:59:30,219 TRACE > [org.apereo.cas.gauth.token.GoogleAuthenticatorRedisTokenRepository] - > <Locating token by identifier [testuser] using key > [GoogleAuthenticatorRedisTokenRepository:testuser:1234]> > 2021-03-09 20:59:30,220 DEBUG > > [org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator] > - <Attempting to authorize OTP token [1234]...> > 2021-03-09 20:59:30,232 DEBUG > [org.apereo.cas.gauth.GoogleAuthenticatorAuthenticationHandler] - > <Validated OTP token [OneTimeToken(id=1615319970224, token=1234, > userId=testuser, issuedDateTime=2021-03-09T20:59:30.224663)] > successfully for [testuser]> > 2021-03-09 20:59:30,232 TRACE > [org.apereo.cas.gauth.token.GoogleAuthenticatorRedisTokenRepository] - > <Saving token [OneTimeToken(id=1615319970224, token=1234, > userId=testuser, issuedDateTime=2021-03-09T20:59:30.224663)] using key > [GoogleAuthenticatorRedisTokenRepository:testuser:1234]> > 2021-03-09 20:59:30,281 TRACE > [org.apereo.cas.gauth.token.GoogleAuthenticatorRedisTokenRepository] - > <Saved token [OneTimeToken(id=1615319970224, token=1234, > userId=testuser, issuedDateTime=2021-03-09T20:59:30.224663)]> > 2021-03-09 20:59:30,282 DEBUG > [org.apereo.cas.gauth.GoogleAuthenticatorAuthenticationHandler] - > <Creating authentication result and building principal for [testuser]> > 2021-03-09 20:59:30,282 DEBUG > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > <Authentication handler [GoogleAuthenticatorAuthenticationHandler] > successfully authenticated > > [GoogleAuthenticatorTokenCredential(super=OneTimeTokenCredential(token=1234), > accountId=1614873350660)]> > > our dependencies : > > dependencies { > implementation > "org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}" > implementation > > "org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}" > implementation > "org.apereo.cas:cas-server-support-reports:${project.'cas.version'}" > > implementation > "org.apereo.cas:cas-server-support-u2f:${project.'cas.version'}" > implementation > "org.apereo.cas:cas-server-support-u2f-redis:${project.'cas.version'}" > > implementation > "org.apereo.cas:cas-server-support-gauth:${project.'cas.version'}" > implementation > "org.apereo.cas:cas-server-support-gauth-redis:${project.'cas.version'}" > > implementation > "org.apereo.cas:cas-server-support-saml:${project.'cas.version'}" > > implementation > > "org.apereo.cas:cas-server-support-redis-ticket-registry:${project.'cas.version'}" > } > > And relevant configuation in cas.properties : > > cas.authn.mfa.gauth.code-digits=6 > cas.authn.mfa.gauth.time-step-size=30 > cas.authn.mfa.gauth.rank=2 > > Any idea ? > > Regards. > > -- > Philippe MARASSE > > Responsable pôle Infrastructures - DSIO > Centre Hospitalier Henri Laborit > CS 10587 - 370 avenue Jacques Cœur > 86021 Poitiers Cedex > Tel : 05.49.44.57.19 > > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc1587ac-f726-9fc1-00fb-bf37260690c0%40ch-poitiers.fr > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAKP%3DBg399cLmUhd9qEiv0aAx1Xs6z4HzOtPmqD9muj19Gui7LA%40mail.gmail.com.
