I'm experimenting in the master branch at the moment. Wasn't planning on trying to submit anything to an old branch... /D
On Friday, October 28, 2022 at 2:08:18 PM UTC+2 leleuj wrote: > Hi, > > The version 6.5.x no longer accepts contributions (except > security patches): > https://apereo.github.io/cas/developer/Maintenance-Policy.html > > So don't worry about submitting a PR. > > Thanks. > Best regards, > Jérôme > > > Le ven. 28 oct. 2022 à 14:04, Dennis Sjögren <[email protected]> a > écrit : > >> So... Running IntelliJ IDEA on a 2019 MacBook Pro with a 2,.6GHz 6-Core >> Intel i7 is... interesting. Having it directly in your lap is not >> recommended. Listening to the fans constantly at 5000 rpm is not as fun as >> it sounds. :) (And being a developer in a completely different ecosystem >> doesn't help.) >> >> Anyway, I found out that if you manage to set the *ForceAuthn* request >> attribute in the *getRedirectionAction* method in >> *DelegatedClientAuthenticationRedirectAction*.java >> (cas-server-support-pac4j-webflow), the resulting redirect to Azure will >> have *max_age=0* as a query parameter. Yay! >> >> I've been experimenting with setting a query parameter (for the >> clientredirect call) in the *resolve* method in >> *DelegatedClientIdentityProviderConfigurationFactory*.java >> (cas-server-support-pac4j-core). This then gets carried over to the >> aforementioned *getRedirectAction* method via the transient session >> ticket. This works but I'm not sure if this is more of a "hack" or if it's >> nearing something that would be acceptable to submit as a PR. >> >> Anyway. Back to experimenting. >> >> Regards, >> Dennis >> >> >> On Tuesday, October 25, 2022 at 7:59:32 PM UTC+2 Dennis Sjögren wrote: >> >>> Currently running v6.5.2. Planning on upgrading to latest 6.6.x soon. >>> >>> The thing is, initially CAS does the right thing with renew=true, i.e. >>> redirecting to the authorize endpoint in Azure. My goal is that renew=true >>> should translate to prompt=login. Is there anything *I* can do to influence >>> this process? Besides learning Java and fixing it myself (which, depending >>> on the complexity, I'm actually considering). :) >>> >>> However, I think I might have another problem. >>> >>> I did a "poor man's" fix by adding this: >>> cas.authn.pac4j.oidc[0].azure.custom-params.prompt=login >>> >>> Then when my app is requesting re-auth (via renew=true), Delegated >>> Authentication redirects to Azure and credentials are requested (forced by >>> my setting above). However, then I get this: >>> >>> PROTOCOL_SPECIFICATION_VALIDATE_FAILED >>> [Cas20WithoutProxyingValidationSpecification] is to enforce the [renew] >>> CAS protocol behavior, yet the assertion is not issued from a new login >>> >>> So my suspicion is that even if I could translate renew=true to >>> prompt=login in Delegated Authentication somehow, I would get stuck on this >>> validation. Correct me if I'm wrong, but this must be an error? I mean, CAS >>> is obviously aware of renew=true, but when Delegated Authentication returns >>> the ST seems to be generated from the previously created TGT anyway? This >>> could of course be by design - considering that there might not be a way >>> for CAS to know if the delegated authentication client did request >>> re-validation of credentials or not. That way, it would probably be better >>> to send max_age=0, but that requires that CAS can validate the auth_time >>> claim... >>> >>> I'm so close to getting this setup to where I want it to be... but this >>> might just be a blocker. Gonna go look up the price of IntelliJ IDEA now. :) >>> >>> Regards, >>> Dennis >>> >>> On Tuesday, October 25, 2022 at 5:56:49 PM UTC+2 CAS Community wrote: >>> >>>> It generally depends on what version of CAS (and pac4j) you run. Most >>>> recent versions can handle protocol translations, such that renew=true is >>>> ultimate translated to prompt=login or max_age=0 or something like that. >>>> >>>> On Tuesday, October 25, 2022 at 6:14:55 PM UTC+4 Dennis Sjögren wrote: >>>> >>>>> Hi, >>>>> >>>>> I've been experimenting with Delegated Authentication to Azure AD (via >>>>> pac4j) and it works like a charm. The last day or so I've been searching >>>>> for an answer to whether renew=1 can be propagated to the authorize call >>>>> to >>>>> Azure AD somehow. If I'm not mistaken, a parameter of prompt=login could >>>>> be >>>>> the way to go. >>>>> >>>>> When I test from a CAS enabled app, renew=1 seems to be forcing a new >>>>> request to Microsofts authorize endpoint, but since I already have an >>>>> active session in Azure, I'm not prompted for my credentials again. >>>>> >>>>> I've been looking into the CAS codebase for a configuration hint or >>>>> something. I've been a full time developer for 25+ years, unfortunately >>>>> not >>>>> in Java - so needless to say, I'm not being particularly successful. :) >>>>> >>>>> So my question is: Is it possible to force re-validation of >>>>> credentials using renew=1 when delegating to Azure AD? >>>>> >>>>> Regards, >>>>> Dennis >>>>> >>>> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/dbda6d6b-14b3-4d3d-96ce-d22f19186338n%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/dbda6d6b-14b3-4d3d-96ce-d22f19186338n%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e4db54b2-e6e2-4de7-a958-bb055c2de459n%40apereo.org.
