Hi , I got the same issue, I have upgraded to 6.3.3. It works now. but it
got JAVA exception when I entered wrong verify code. It seems not friendly.
Here is the error logs:
2021-06-04 16:57:44,260 ERROR
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<Authentication has failed. Credentials may be incorrect or CAS cannot find
authentication handler that supports
[GoogleAuthenticatorTokenCredential(super=OneTimeTokenCredential(token=123456),
accountId=1617172741294)] of type [GoogleAuthenticatorTokenCredential].
Examine the configuration to ensure a method of authentication is defined
and analyze CAS logs at DEBUG level to trace the authentication event.>
2021-06-04 16:57:44,260 ERROR
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<[castest]: [Secret cannot be null.]>
2021-06-04 16:57:44,260 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: 123456
WHAT: Supplied credentials:
[GoogleAuthenticatorTokenCredential(super=OneTimeTokenCredential(token=123456),
accountId=1617172741294)]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Fri Jun 04 16:57:44 CST 2021
CLIENT IP ADDRESS: 10.13.12.54
SERVER IP ADDRESS: 10.13.23.92
=============================================================
>
2021-06-04 16:57:44,260 ERROR
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] -
<1 errors, 0 successes>
org.apereo.cas.authentication.AuthenticationException: 1 errors, 0 successes
at
org.apereo.cas.authentication.PolicyBasedAuthenticationManager.evaluateFinalAuthentication(PolicyBasedAuthenticationManager.java:340)
~[cas-server-core-authentication-api-6.3.3.jar!/:6.3.3]
at
org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticateInternal(PolicyBasedAuthenticationManager.java:318)
~[cas-server-core-authentication-api-6.3.3.jar!/:6.3.3]
at
org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticate(PolicyBasedAuthenticationManager.java:63)
~[cas-server-core-authentication-api-6.3.3.jar!/:6.3.3]
at
org.apereo.cas.authentication.PolicyBasedAuthenticationManager$$FastClassBySpringCGLIB$$90e801d3.invoke(<generated>)
~[cas-server-core-authentication-api-6.3.3.jar!/:6.3.3]
at
org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)
~[spring-core-5.2.12.RELEASE.jar!/:5.2.12.RELEASE]
at
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:771)
~[spring-aop-5.2.12.RELEASE.jar!/:5.2.12.RELEASE]
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
~[spring-aop-5.2.12.RELEASE.jar!/:5.2.12.RELEASE]
at
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:749)
~[spring-aop-5.2.12.RELEASE.jar!/:5.2.12.RELEASE]
at
org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:88)
~[spring-aop-5.2.12.RELEASE.jar!/:5.2.12.RELEASE]
at
org.apereo.inspektr.audit.AuditTrailManagementAspect.handleAuditTrail(AuditTrailManagementAspect.java:135)
~[inspektr-audit-1.8.10.GA.jar!/:1.8.10.GA]
at jdk.internal.reflect.GeneratedMethodAccessor178.invoke(Unknown
Source) ~[?:?]
at
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
Bartosz Nitkiewicz在 2021年4月13日星期二下午10:47:36 [UTC+8]寫道:
> It looks like it is working indeed. But you can provide any numer and CAS
> authorize user. Check it twice ;)
>
> wtorek, 13 kwietnia 2021 o 16:30:47 UTC+2 Łukasz Woźniak napisał(a):
>
>> Hi, I have czas 6.3.2 with Google mfa and it works. Dont change config
>> cas.authn.mfa.gauth.name it stole stary mfa-gauth
>>
>> wt., 13 kwi 2021, 16:04 użytkownik Bartosz Nitkiewicz <
>> [email protected]> napisał:
>>
>>> I have cloned CAS sources and
>>> copy
>>> cas/support/cas-server-support-gauth-core/src/main/java/org/apereo/cas/gauth/credential/GoogleAuthenticatorOneTimeTokenCredentialValidator.java
>>>
>>> to
>>> cas-overlay-template/src/main/java/org/apereo/cas/gauth/credential/GoogleAuthenticatorOneTimeTokenCredentialValidator.java
>>>
>>> and I have build issues down below:
>>>
>>> https://dpaste.com/8X6QFAGR2
>>>
>>>
>>> Maybe there is another way?
>>> wtorek, 13 kwietnia 2021 o 15:22:29 UTC+2 Philippe MARASSE napisał(a):
>>>
>>>> A good question indeed :-)
>>>>
>>>> I've took a look over my overlay, it seem that I only overloaded the
>>>> flawed class from the commit :
>>>>
>>>>
>>>> cas-overlay/src/main/java/org/apereo/cas/gauth/credential/GoogleAuthenticatorOneTimeTokenCredentialValidator.java
>>>>
>>>> CAS 6.3.2 is older than the patch I think.
>>>>
>>>> So :
>>>> - fetch CAS sources from github
>>>> - Copy the GoogleAuthenticatorOneTimeTokenCredentialValidator.java in
>>>> your overlay
>>>> - build your overlay
>>>>
>>>> and test it :-).
>>>>
>>>> Regards.
>>>>
>>>>
>>>> Le 13/04/2021 à 14:24, Bartosz Nitkiewicz a écrit :
>>>>
>>>> I have CAS v 6.3.2 which is quite new. But I'm not sure if its newer
>>>> than this patch.
>>>> Hmm, I've cloned this overlay
>>>> https://github.com/apereo/cas-overlay-template/tree/6.3 with latest
>>>> commit 995813b on 14 Feb
>>>>
>>>>
>>>> So how to make it work? I don't want to build CAS form sources:
>>>> https://github.com/apereo/cas/tree/e7cb3b8b44867addcb6b8510cbbed45cbc9b265f
>>>>
>>>> I'm wondering, where is this
>>>> GoogleAuthenticatorOneTimeTokenCredentialValidator.java
>>>> <https://github.com/apereo/cas/commit/e7cb3b8b44867addcb6b8510cbbed45cbc9b265f#diff-1df13ecfa59195b04a0fb8db8cfe2d11ef4a09ef52fab4832edff1caaeeb8a81>
>>>> file
>>>> after build. Maybe it's possible to replace/edit it?
>>>> Regards
>>>> Bartek
>>>>
>>>>
>>>> wtorek, 13 kwietnia 2021 o 14:06:08 UTC+2 Philippe MARASSE napisał(a):
>>>>
>>>>> Hello,
>>>>>
>>>>> It has been fixed there
>>>>> https://github.com/apereo/cas/commit/e7cb3b8b44867addcb6b8510cbbed45cbc9b265f
>>>>>
>>>>> Verify that you version of CAS is newer than that commit, it should be
>>>>> fine.
>>>>>
>>>>> Regards
>>>>>
>>>>>
>>>>> Le 13/04/2021 à 13:04, Bartosz Nitkiewicz a écrit :
>>>>>
>>>>> Hi,
>>>>> The setup looks like this:
>>>>>
>>>>> CAS + Vault (config file) + LDAP + 2FA (mfa-gauth) + redis for gauth
>>>>> and ticket registration.
>>>>>
>>>>> After testing before production deployment I've noticed that user can
>>>>> authorize providing user and pass, when asking for Gauth token* it
>>>>> can be anything (even one character)* and CAS will pass it through. I
>>>>> don't know where I have mistake:
>>>>>
>>>>> Here is my config form VAULT
>>>>>
>>>>>
>>>>> "cas.authn.mfa.gauth.crypto.encryption.key": "[redacted]",
>>>>> "cas.authn.mfa.gauth.crypto.signing.key": "[redacted]",
>>>>> "cas.authn.mfa.gauth.issuer": "CAS",
>>>>> "cas.authn.mfa.gauth.label": "CAS",
>>>>> "cas.authn.mfa.gauth.multiple-device-registration-enabled": "false",
>>>>> "cas.authn.mfa.gauth.name": "CAS",
>>>>> "cas.authn.mfa.gauth.redis.database": "0",
>>>>> "cas.authn.mfa.gauth.redis.host": "localhost",
>>>>> "cas.authn.mfa.gauth.redis.password": "[redacted]",
>>>>> "cas.authn.mfa.gauth.redis.port": "6379",
>>>>> "cas.authn.mfa.gauth.redis.read-from": "MASTER",
>>>>> "cas.authn.mfa.gauth.redis.timeout": "2000",
>>>>> "cas.authn.mfa.gauth.redis.use-ssl": "false",
>>>>> "cas.authn.mfa.global-provider-id": "mfa-gauth",
>>>>>
>>>>> "cas.authn.mfa.triggers.principal.global-principal-attribute-name-triggers":
>>>>>
>>>>> "memberOf",
>>>>>
>>>>> "cas.authn.mfa.triggers.principal.global-principal-attribute-value-regex":
>>>>>
>>>>> "[redacted]"
>>>>>
>>>>> Maybe its ticket registering with redis:
>>>>>
>>>>> "cas.ticket.registry.redis.crypto.alg": "AES",
>>>>> "cas.ticket.registry.redis.crypto.enabled": "false",
>>>>> "cas.ticket.registry.redis.crypto.encryption.key": "",
>>>>> "cas.ticket.registry.redis.crypto.encryption.key-size": "16",
>>>>> "cas.ticket.registry.redis.crypto.signing.key": "",
>>>>> "cas.ticket.registry.redis.crypto.signing.key-size": "512",
>>>>> "cas.ticket.registry.redis.database": "1",
>>>>> "cas.ticket.registry.redis.host": "localhost",
>>>>> "cas.ticket.registry.redis.password": "[redacted]",
>>>>> "cas.ticket.registry.redis.pool.enabled": "false",
>>>>> "cas.ticket.registry.redis.pool.fairness": "false",
>>>>> "cas.ticket.registry.redis.pool.lifo": "true",
>>>>> "cas.ticket.registry.redis.pool.max-active": "8",
>>>>> "cas.ticket.registry.redis.pool.max-idle": "8",
>>>>> "cas.ticket.registry.redis.pool.max-wait": "-1",
>>>>> "cas.ticket.registry.redis.pool.min-evictable-idle-time-millis": "0",
>>>>> "cas.ticket.registry.redis.pool.min-idle": "0",
>>>>> "cas.ticket.registry.redis.pool.num-tests-per-eviction-run": "0",
>>>>>
>>>>> "cas.ticket.registry.redis.pool.soft-min-evictable-idle-time-millis": "0",
>>>>> "cas.ticket.registry.redis.pool.test-on-borrow": "false",
>>>>> "cas.ticket.registry.redis.pool.test-on-create": "false",
>>>>> "cas.ticket.registry.redis.pool.test-on-return": "false",
>>>>> "cas.ticket.registry.redis.pool.test-while-idle": "false",
>>>>> "cas.ticket.registry.redis.port": "6379",
>>>>> "cas.ticket.registry.redis.timeout": "2000",
>>>>> "cas.ticket.registry.redis.use-ssl": "false",
>>>>>
>>>>> Any hints?
>>>>> Regards
>>>>> Bartek
>>>>>
>>>>> --
>>>>> - Website: https://apereo.github.io/cas
>>>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>>>> - List Guidelines: https://goo.gl/1VRrw7
>>>>> - Contributions: https://goo.gl/mh7qDG
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "CAS Community" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to [email protected].
>>>>> To view this discussion on the web visit
>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/3aac5f3d-d9a7-4455-9639-bf8ce2be695en%40apereo.org
>>>>>
>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/3aac5f3d-d9a7-4455-9639-bf8ce2be695en%40apereo.org?utm_medium=email&utm_source=footer>
>>>>> .
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Philippe MARASSE
>>>>>
>>>>> Responsable pôle Infrastructures - DSIO
>>>>> Centre Hospitalier Henri Laborit
>>>>> CS 10587 - 370 avenue Jacques Cœur
>>>>> 86021 Poitiers Cedex
>>>>> Tel : 05.49.44.57.19
>>>>>
>>>>>
>>>>
>>>> --
>>>> Philippe MARASSE
>>>>
>>>> Responsable pôle Infrastructures - DSIO
>>>> Centre Hospitalier Henri Laborit
>>>> CS 10587 - 370 avenue Jacques Cœur
>>>> 86021 Poitiers Cedex
>>>> Tel : 05.49.44.57.19
>>>>
>>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>>
>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c7e3233c-10db-497b-9430-58aa200550b4n%40apereo.org
>>>
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/c7e3233c-10db-497b-9430-58aa200550b4n%40apereo.org?utm_medium=email&utm_source=footer>
>>> .
>>>
>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7b809e97-65b9-4c43-b79f-9e5fa30afeaan%40apereo.org.
