Currently running v6.5.2. Planning on upgrading to latest 6.6.x soon. The thing is, initially CAS does the right thing with renew=true, i.e. redirecting to the authorize endpoint in Azure. My goal is that renew=true should translate to prompt=login. Is there anything *I* can do to influence this process? Besides learning Java and fixing it myself (which, depending on the complexity, I'm actually considering). :)
However, I think I might have another problem. I did a "poor man's" fix by adding this: cas.authn.pac4j.oidc[0].azure.custom-params.prompt=login Then when my app is requesting re-auth (via renew=true), Delegated Authentication redirects to Azure and credentials are requested (forced by my setting above). However, then I get this: PROTOCOL_SPECIFICATION_VALIDATE_FAILED [Cas20WithoutProxyingValidationSpecification] is to enforce the [renew] CAS protocol behavior, yet the assertion is not issued from a new login So my suspicion is that even if I could translate renew=true to prompt=login in Delegated Authentication somehow, I would get stuck on this validation. Correct me if I'm wrong, but this must be an error? I mean, CAS is obviously aware of renew=true, but when Delegated Authentication returns the ST seems to be generated from the previously created TGT anyway? This could of course be by design - considering that there might not be a way for CAS to know if the delegated authentication client did request re-validation of credentials or not. That way, it would probably be better to send max_age=0, but that requires that CAS can validate the auth_time claim... I'm so close to getting this setup to where I want it to be... but this might just be a blocker. Gonna go look up the price of IntelliJ IDEA now. :) Regards, Dennis On Tuesday, October 25, 2022 at 5:56:49 PM UTC+2 CAS Community wrote: > It generally depends on what version of CAS (and pac4j) you run. Most > recent versions can handle protocol translations, such that renew=true is > ultimate translated to prompt=login or max_age=0 or something like that. > > On Tuesday, October 25, 2022 at 6:14:55 PM UTC+4 Dennis Sjögren wrote: > >> Hi, >> >> I've been experimenting with Delegated Authentication to Azure AD (via >> pac4j) and it works like a charm. The last day or so I've been searching >> for an answer to whether renew=1 can be propagated to the authorize call to >> Azure AD somehow. If I'm not mistaken, a parameter of prompt=login could be >> the way to go. >> >> When I test from a CAS enabled app, renew=1 seems to be forcing a new >> request to Microsofts authorize endpoint, but since I already have an >> active session in Azure, I'm not prompted for my credentials again. >> >> I've been looking into the CAS codebase for a configuration hint or >> something. I've been a full time developer for 25+ years, unfortunately not >> in Java - so needless to say, I'm not being particularly successful. :) >> >> So my question is: Is it possible to force re-validation of credentials >> using renew=1 when delegating to Azure AD? >> >> Regards, >> Dennis >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2cd365e8-c482-4ab8-97e9-dc2a3ca78c42n%40apereo.org.
