So... Running IntelliJ IDEA on a 2019 MacBook Pro with a 2,.6GHz 6-Core Intel i7 is... interesting. Having it directly in your lap is not recommended. Listening to the fans constantly at 5000 rpm is not as fun as it sounds. :) (And being a developer in a completely different ecosystem doesn't help.)
Anyway, I found out that if you manage to set the *ForceAuthn* request attribute in the *getRedirectionAction* method in *DelegatedClientAuthenticationRedirectAction*.java (cas-server-support-pac4j-webflow), the resulting redirect to Azure will have *max_age=0* as a query parameter. Yay! I've been experimenting with setting a query parameter (for the clientredirect call) in the *resolve* method in *DelegatedClientIdentityProviderConfigurationFactory*.java (cas-server-support-pac4j-core). This then gets carried over to the aforementioned *getRedirectAction* method via the transient session ticket. This works but I'm not sure if this is more of a "hack" or if it's nearing something that would be acceptable to submit as a PR. Anyway. Back to experimenting. Regards, Dennis On Tuesday, October 25, 2022 at 7:59:32 PM UTC+2 Dennis Sjögren wrote: > Currently running v6.5.2. Planning on upgrading to latest 6.6.x soon. > > The thing is, initially CAS does the right thing with renew=true, i.e. > redirecting to the authorize endpoint in Azure. My goal is that renew=true > should translate to prompt=login. Is there anything *I* can do to influence > this process? Besides learning Java and fixing it myself (which, depending > on the complexity, I'm actually considering). :) > > However, I think I might have another problem. > > I did a "poor man's" fix by adding this: > cas.authn.pac4j.oidc[0].azure.custom-params.prompt=login > > Then when my app is requesting re-auth (via renew=true), Delegated > Authentication redirects to Azure and credentials are requested (forced by > my setting above). However, then I get this: > > PROTOCOL_SPECIFICATION_VALIDATE_FAILED > [Cas20WithoutProxyingValidationSpecification] is to enforce the [renew] > CAS protocol behavior, yet the assertion is not issued from a new login > > So my suspicion is that even if I could translate renew=true to > prompt=login in Delegated Authentication somehow, I would get stuck on this > validation. Correct me if I'm wrong, but this must be an error? I mean, CAS > is obviously aware of renew=true, but when Delegated Authentication returns > the ST seems to be generated from the previously created TGT anyway? This > could of course be by design - considering that there might not be a way > for CAS to know if the delegated authentication client did request > re-validation of credentials or not. That way, it would probably be better > to send max_age=0, but that requires that CAS can validate the auth_time > claim... > > I'm so close to getting this setup to where I want it to be... but this > might just be a blocker. Gonna go look up the price of IntelliJ IDEA now. :) > > Regards, > Dennis > > On Tuesday, October 25, 2022 at 5:56:49 PM UTC+2 CAS Community wrote: > >> It generally depends on what version of CAS (and pac4j) you run. Most >> recent versions can handle protocol translations, such that renew=true is >> ultimate translated to prompt=login or max_age=0 or something like that. >> >> On Tuesday, October 25, 2022 at 6:14:55 PM UTC+4 Dennis Sjögren wrote: >> >>> Hi, >>> >>> I've been experimenting with Delegated Authentication to Azure AD (via >>> pac4j) and it works like a charm. The last day or so I've been searching >>> for an answer to whether renew=1 can be propagated to the authorize call to >>> Azure AD somehow. If I'm not mistaken, a parameter of prompt=login could be >>> the way to go. >>> >>> When I test from a CAS enabled app, renew=1 seems to be forcing a new >>> request to Microsofts authorize endpoint, but since I already have an >>> active session in Azure, I'm not prompted for my credentials again. >>> >>> I've been looking into the CAS codebase for a configuration hint or >>> something. I've been a full time developer for 25+ years, unfortunately not >>> in Java - so needless to say, I'm not being particularly successful. :) >>> >>> So my question is: Is it possible to force re-validation of credentials >>> using renew=1 when delegating to Azure AD? >>> >>> Regards, >>> Dennis >>> >> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/dbda6d6b-14b3-4d3d-96ce-d22f19186338n%40apereo.org.
