[cas-user] Re: pac4j Google2Client auth delegation: How to unauthorize a profile?

2018-01-23 Thread Martin Bohun 
Hello Oscar,

This is an example of one possible solution:
Our cas project (based on cas-4.0.x), uses Delegated Authentication 
(Facebook/Google/Twitter) to perform "one click" SignUp/SignIn.
We use a custom auth handler that uses the attributes (email, first_name, 
surname) returned by Facebook/Google/Twitter to either:
a) SignIn user if user with that email exist in the system already, OR
b) SignUp create the user in our system, and proceed to SignIn

So at that point in the code where we are receiving/processing the email 
address returned by Facebook/Google/Twitter:
https://github.com/AtlasOfLivingAustralia/ala-cas-2.0/blob/master/src/main/java/org/jasig/cas/support/pac4j/authentication/handler/support/ALAClientAuthenticationHandler.java#L121

one could do the type of filtering you want:
a) hardcode it there
b) externalize the email validation/check regexp into some 
properties/config file so 
c) fast/phugly/hack do the filtering in your LDAP, SQL query,
etc.

regards,

martin

On Wednesday, January 24, 2018 at 2:10:34 AM UTC+11, Oscar del Pozo wrote:
>
> Hi!
>
> I'm migrating from CAS 4.0.5 to 5.2.1 and everything has gone perfect but 
> I'm facing a problem with the Google OAuth authentication.
>
> I have configured a delegate authentication to Google with pac4j 
> successfully but I need to make a modification, only allow the emails which 
> end with *@companyname.com  *(I do agree that 
> this kind of things should not be done at CAS because this is about 
> authorization and not authentication, but I have to)
>
> I have added a new AuthorizationGenerator to the Google2Client instance 
> so, after the retrieve the user profile with the *Google2ProfileDefinition 
> *class, I make my validation and in case that the user email is not a 
> valid one, I set the profile identifier no blank. The blank 
> identifier causes a *FailedLoginException *at 
> *AbstractPac4jAuthenticationHandler.*
>
> Everything seems to work fine but finally, I get the following exception 
> and the CAS error page is shown.
>  
>
> 2018-01-23 15:58:48,581 DEBUG 
>> [org.pac4j.oauth.profile.creator.OAuth20ProfileCreator] - > access_token: ya29.Glx... to profile>
>> 2018-01-23 15:58:48,581 DEBUG 
>> [org.pac4j.oauth.profile.google2.Google2Profile] -  key: 
>> access_token / value:XXX-XXX / class java.lang.String>
>> 2018-01-23 15:58:48,581 DEBUG [org.pac4j.oauth.client.Google2Client] - 
>> > {name.familyName=del Pozo, 
>> emails=[org.pac4j.oauth.profile.google2.Google2Email@64f6a901], 
>> access_token=..., gender=MALE, displayName=Oscar del Pozo, 
>> name.givenName=Oscar, ... |>
>> 2018-01-23 15:58:49,599 WARN 
>> [org.apereo.cas.support.pac4j.oauth.MyProfileAuthorizationGenerator] 
>> - 
>> 2018-01-23 15:58:49,599 DEBUG 
>> [org.pac4j.oauth.profile.google2.Google2Profile] 
>> - 
>> 2018-01-23 15:58:51,789 ERROR 
>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
>> > authentication handler that supports 
>> [org.apereo.cas.authentication.principal.ClientCredential@2f8fc6b0[id=]]
>>  
>> of type [ClientCredential].>
>> 2018-01-23 15:58:53,216 INFO 
>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - > trail record BEGIN
>> =
>> WHO: null
>> WHAT: Supplied credentials: 
>> [org.apereo.cas.authentication.principal.ClientCredential@2f8fc6b0[id=]]
>> ACTION: AUTHENTICATION_SUCCESS   (This is a reported bug, the 
>> authentication has actually failed: 
>> https://github.com/apereo/inspektr/pull/10)
>> APPLICATION: CAS
>> WHEN: Tue Jan 23 15:58:53 CET 2018
>> CLIENT IP ADDRESS: 192.168.56.1
>> SERVER IP ADDRESS: 192.168.56.1
>> =
>> >
>> 2018-01-23 15:58:53,247 ERROR 
>> [org.springframework.boot.web.support.ErrorPageFilter] - > error page from request [/login] due to exception [Exception thrown 
>> executing 
>> org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction@848f27e
>>  
>> in state 'clientAction' of flow 'login' -- action execution attributes were 
>> 'map[[empty]]']>
>
> at 
>> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:60)
>>  
>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>> at 
>> org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)
>>  
>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>> at 
>> org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
>>  
>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] 
>> [...]
>> Caused by: org.apereo.cas.authentication.AuthenticationException: 1 
>> errors, 0 successes
>> at 
>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.evaluateFinalAuthentication(PolicyBasedAuthenticationManager.java:400)
>>  
>> ~[cas-server-core-authentication-5.2.1.jar:5.2.1]
>> at 
>>

[cas-user] MFA Google Authenticator persistence issue?

2018-01-23 Thread Tim Tyler 
CAS Experts,

I am trying to setup Google Authenticator for MFA purposes.  It works fine
in memory mode.  So now we want to install persistence for it on MariaDB.
So here is what we did.

1. We installed Mariadb and initiated it.

2. We created a database named "mfa" to store the registries.

3.  We have no idea what the schema should look like so we didn't create
anything else.

4. We configured ca.properties with

cas.authn.mfa.trusted.jpa.url=jdbc:mariadb://localhost:1489/mfa

cas.authn.mfa.trusted.jpa.dialect=org.hibernate.dialect.MariaDBDialect

cas.authn.mfa.trusted.jpa.user=root

cas.authn.mfa.trusted.jpa.password=xxx

cas.authn.mfa.trusted.jpa.driverClass=org.mariadb.jdbc.Driver





So do we need a schema or does it get created automatically –and how?
When I login to CAS, we don't see any evidence of database changes, etc.
There are no tables in the mfa database.  But we still get the following
error on CAS output:





2018-01-23 15:19:24,808 WARN
[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] - 



What might we be missing or might be wrong?





Tim Tyler

Network Engineer

Beloit College

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/324d6ed73e1fade42c7d91b9b1d82b03%40mail.gmail.com.

[cas-user] Re: ZenDesk JWT integration

2018-01-23 Thread FritzTheWonderMutt 

Also, it looks like org.apereo.cas.util.EncodingUtils only allows HS512, 
(line232). ZenDesk uses HS256. One more thing to override...

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/34c7798d-ef00-4da9-ae8e-bcca4c21ae9e%40apereo.org.

Re: [cas-user] Management webapp 5.3.0-RC1/RC2-SNAPSHOT hates my management.properties file?

2018-01-23 Thread David Curry 
Hi Travis,

The advantage to the overlay is that you don't have to clone the whole repo
and build from source.

I'm trying to build 5.3.0-RC2-SNAPSHOT because I'm working on fixing
MongoDbConnectionFactory.java to correctly handle client connection strings
(URIs), which is needed to support a MongoDb-based service registry (or
other registries, but those don't matter to the webapp).

But, although I'd personally like to see the overlay remain supported and
working, I can in the short term probably clone the repo and do it that way.

Thanks,
--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Tue, Jan 23, 2018 at 2:15 PM, Travis Schmidt 
wrote:

> Hi David,
>   Not exactly sure what is going on, but I have to confess that I have not
> tried building the management app with the Maven overlay.
>
> I can say for sure that to be compatible with the last release of the
> management app that the cas.version needs to be 5.3.0-RC1, since that is
> what it is built against.
>
> Also I am not sure exactly what benefit the Maven overlay has for the
> management-app and maybe that it is a discussion we need to have with
> developers and the CAS community at large.
>
> if you do:
>
> git clone https://github.com/apereo/cas-management.git
> cd cas-manaagement
> ./gradlew build -x check -x javadoc
>
> This will build a war under cas-management/webapp-mgmt/
> cas-management-webapp/build/libs/ that can be deployed.
>
> Needless to say some time needs to be put into the documentation for the
> management app.
>
> Thanks
> Travis
>
>
>
> On Tue, Jan 23, 2018 at 10:11 AM David Curry 
> wrote:
>
>>
>> I am building the management webapp with the current Maven WAR overlay,
>> and  set to either 5.3.0-RC1 or 5.3.0-RC2-SNAPSHOT. In both
>> cases, all of a sudden the webapp is unhappy with my
>> *management.properties* file that has been working just fine with 5.1.x
>> and 5.2.x. Specifically, I get:
>>
>> org.springframework.beans.factory.UnsatisfiedDependencyException: Error
>> creating bean with name 'casCoreWebConfiguration': Unsatisfied dependency
>> expressed through field 'casProperties'; nested exception is
>> org.springframework.beans.factory.BeanCreationException: Error creating
>> bean with name 'cas-org.apereo.cas.configuration.CasConfigurationProperties':
>> Could not bind properties to CasConfigurationProperties (prefix=cas,
>> ignoreInvalidFields=false, ignoreUnknownFields=false,
>> ignoreNestedProperties=false); nested exception is
>> org.springframework.beans.NotWritablePropertyException: Invalid property
>> 'mgmt[adminRoles][0]' of bean class 
>> [org.apereo.cas.configuration.CasConfigurationProperties]:
>> Cannot access indexed value in property referenced in indexed property path
>> 'mgmt[adminRoles][0]'; nested exception is 
>> org.springframework.beans.NotReadablePropertyException:
>> Invalid property 'mgmt[adminRoles][0]' of bean class
>> [org.apereo.cas.configuration.CasConfigurationProperties]: Bean property
>> 'mgmt[adminRoles][0]' is not readable or has an invalid getter method: Does
>> the return type of the getter match the parameter type of the setter?
>>
>> and, if I delete "cas.mgmt.adminRoles[0]: ROLE_ADMIN" from the file, I
>> get basically the same error on the next property:
>>
>> org.springframework.beans.factory.UnsatisfiedDependencyException: Error
>> creating bean with name 'casCoreWebConfiguration': Unsatisfied dependency
>> expressed through field 'casProperties'; nested exception is
>> org.springframework.beans.factory.BeanCreationException: Error creating
>> bean with name 'cas-org.apereo.cas.configuration.CasConfigurationProperties':
>> Could not bind properties to CasConfigurationProperties (prefix=cas,
>> ignoreInvalidFields=false, ignoreUnknownFields=false,
>> ignoreNestedProperties=false); nested exception is
>> org.springframework.beans.NotWritablePropertyException: Invalid property
>> 'mgmt[userPropertiesFile]' of bean class 
>> [org.apereo.cas.configuration.CasConfigurationProperties]:
>> Cannot access indexed value in property referenced in indexed property path
>> 'mgmt[userPropertiesFile]'; nested exception is 
>> org.springframework.beans.NotReadablePropertyException:
>> Invalid property 'mgmt[userPropertiesFile]' of bean class
>> [org.apereo.cas.configuration.CasConfigurationProperties]: Bean property
>> 'mgmt[userPropertiesFile]' is not readable or has an invalid getter method:
>> Does the return type of the getter match the parameter type of the setter?
>>
>> It occurred to me that maybe the property name prefix ("cas.mgmt") might
>> have changed when the webapp was spun off into its own GitHub repository,
>> but unfortunately, when I try to check the documentation on this:
>>
>> https://apereo.github.io/cas-management/development/
>>

Re: [cas-user] Management webapp 5.3.0-RC1/RC2-SNAPSHOT hates my management.properties file?

2018-01-23 Thread Travis Schmidt 
Hi David,
  Not exactly sure what is going on, but I have to confess that I have not
tried building the management app with the Maven overlay.

I can say for sure that to be compatible with the last release of the
management app that the cas.version needs to be 5.3.0-RC1, since that is
what it is built against.

Also I am not sure exactly what benefit the Maven overlay has for the
management-app and maybe that it is a discussion we need to have with
developers and the CAS community at large.

if you do:

git clone https://github.com/apereo/cas-management.git
cd cas-manaagement
./gradlew build -x check -x javadoc

This will build a war under
cas-management/webapp-mgmt/cas-management-webapp/build/libs/ that can be
deployed.

Needless to say some time needs to be put into the documentation for the
management app.

Thanks
Travis



On Tue, Jan 23, 2018 at 10:11 AM David Curry 
wrote:

>
> I am building the management webapp with the current Maven WAR overlay,
> and  set to either 5.3.0-RC1 or 5.3.0-RC2-SNAPSHOT. In both
> cases, all of a sudden the webapp is unhappy with my
> *management.properties* file that has been working just fine with 5.1.x
> and 5.2.x. Specifically, I get:
>
> org.springframework.beans.factory.UnsatisfiedDependencyException: Error
> creating bean with name 'casCoreWebConfiguration': Unsatisfied dependency
> expressed through field 'casProperties'; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name
> 'cas-org.apereo.cas.configuration.CasConfigurationProperties': Could not
> bind properties to CasConfigurationProperties (prefix=cas,
> ignoreInvalidFields=false, ignoreUnknownFields=false,
> ignoreNestedProperties=false); nested exception is
> org.springframework.beans.NotWritablePropertyException: Invalid property
> 'mgmt[adminRoles][0]' of bean class
> [org.apereo.cas.configuration.CasConfigurationProperties]: Cannot access
> indexed value in property referenced in indexed property path
> 'mgmt[adminRoles][0]'; nested exception is
> org.springframework.beans.NotReadablePropertyException: Invalid property
> 'mgmt[adminRoles][0]' of bean class
> [org.apereo.cas.configuration.CasConfigurationProperties]: Bean property
> 'mgmt[adminRoles][0]' is not readable or has an invalid getter method: Does
> the return type of the getter match the parameter type of the setter?
>
> and, if I delete "cas.mgmt.adminRoles[0]: ROLE_ADMIN" from the file, I
> get basically the same error on the next property:
>
> org.springframework.beans.factory.UnsatisfiedDependencyException: Error
> creating bean with name 'casCoreWebConfiguration': Unsatisfied dependency
> expressed through field 'casProperties'; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name
> 'cas-org.apereo.cas.configuration.CasConfigurationProperties': Could not
> bind properties to CasConfigurationProperties (prefix=cas,
> ignoreInvalidFields=false, ignoreUnknownFields=false,
> ignoreNestedProperties=false); nested exception is
> org.springframework.beans.NotWritablePropertyException: Invalid property
> 'mgmt[userPropertiesFile]' of bean class
> [org.apereo.cas.configuration.CasConfigurationProperties]: Cannot access
> indexed value in property referenced in indexed property path
> 'mgmt[userPropertiesFile]'; nested exception is
> org.springframework.beans.NotReadablePropertyException: Invalid property
> 'mgmt[userPropertiesFile]' of bean class
> [org.apereo.cas.configuration.CasConfigurationProperties]: Bean property
> 'mgmt[userPropertiesFile]' is not readable or has an invalid getter method:
> Does the return type of the getter match the parameter type of the setter?
>
> It occurred to me that maybe the property name prefix ("cas.mgmt") might
> have changed when the webapp was spun off into its own GitHub repository,
> but unfortunately, when I try to check the documentation on this:
>
>
> https://apereo.github.io/cas-management/development/installation/Configuration-Properties.html
>
> it results in a 404 error (as does Configuration-Management.html).
>
> Is this a bug, or am I doing something wrong?
>
> Thanks,
> --Dave
>
>
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> 
> +1 212 229-5300 x4728 <(212)%20229-5300> • david.cu...@newschool.edu
>
> [image: The New School]
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
>

[cas-user] Management webapp 5.3.0-RC1/RC2-SNAPSHOT hates my management.properties file?

2018-01-23 Thread David Curry 
I am building the management webapp with the current Maven WAR overlay, and
 set to either 5.3.0-RC1 or 5.3.0-RC2-SNAPSHOT. In both cases,
all of a sudden the webapp is unhappy with my *management.properties* file
that has been working just fine with 5.1.x and 5.2.x. Specifically, I get:

org.springframework.beans.factory.UnsatisfiedDependencyException: Error
creating bean with name 'casCoreWebConfiguration': Unsatisfied dependency
expressed through field 'casProperties'; nested exception is
org.springframework.beans.factory.BeanCreationException: Error creating
bean with name
'cas-org.apereo.cas.configuration.CasConfigurationProperties': Could not
bind properties to CasConfigurationProperties (prefix=cas,
ignoreInvalidFields=false, ignoreUnknownFields=false,
ignoreNestedProperties=false); nested exception is
org.springframework.beans.NotWritablePropertyException: Invalid property
'mgmt[adminRoles][0]' of bean class
[org.apereo.cas.configuration.CasConfigurationProperties]: Cannot access
indexed value in property referenced in indexed property path
'mgmt[adminRoles][0]'; nested exception is
org.springframework.beans.NotReadablePropertyException: Invalid property
'mgmt[adminRoles][0]' of bean class
[org.apereo.cas.configuration.CasConfigurationProperties]: Bean property
'mgmt[adminRoles][0]' is not readable or has an invalid getter method: Does
the return type of the getter match the parameter type of the setter?

and, if I delete "cas.mgmt.adminRoles[0]: ROLE_ADMIN" from the file, I get
basically the same error on the next property:

org.springframework.beans.factory.UnsatisfiedDependencyException: Error
creating bean with name 'casCoreWebConfiguration': Unsatisfied dependency
expressed through field 'casProperties'; nested exception is
org.springframework.beans.factory.BeanCreationException: Error creating
bean with name
'cas-org.apereo.cas.configuration.CasConfigurationProperties': Could not
bind properties to CasConfigurationProperties (prefix=cas,
ignoreInvalidFields=false, ignoreUnknownFields=false,
ignoreNestedProperties=false); nested exception is
org.springframework.beans.NotWritablePropertyException: Invalid property
'mgmt[userPropertiesFile]' of bean class
[org.apereo.cas.configuration.CasConfigurationProperties]: Cannot access
indexed value in property referenced in indexed property path
'mgmt[userPropertiesFile]'; nested exception is
org.springframework.beans.NotReadablePropertyException: Invalid property
'mgmt[userPropertiesFile]' of bean class
[org.apereo.cas.configuration.CasConfigurationProperties]: Bean property
'mgmt[userPropertiesFile]' is not readable or has an invalid getter method:
Does the return type of the getter match the parameter type of the setter?

It occurred to me that maybe the property name prefix ("cas.mgmt") might
have changed when the webapp was spun off into its own GitHub repository,
but unfortunately, when I try to check the documentation on this:

https://apereo.github.io/cas-management/development/installation/Configuration-Properties.html

it results in a 404 error (as does Configuration-Management.html).

Is this a bug, or am I doing something wrong?

Thanks,
--Dave




--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMrHXz6FbjofrZj5G9Tk2rGGikP%2B15Q_v-ZJ_T8_%2B9Egg%40mail.gmail.com.

[cas-user] ZenDesk JWT integration

2018-01-23 Thread FritzTheWonderMutt 
Greetings!
I'm trying to integrate our CAS 5.1 instance with Zendesk's JWT login flow. 
I have solved this in previous CAS versions using an ArgumentExtractor and 
an extension of AbstractWebApplicationService.
Two main issues are incoming parametes need to be mapped to expected ones 
(ie: return_to --> service) and the JWT needs additional properties not 
found in TokenWebApplicationServiceResponseBuilder.

ZenDesk doc:
https://support.zendesk.com/hc/en-us/articles/203663816-Setting-up-single-sign-on-with-JWT-JSON-Web-Token-

Questions:
1) Where do argument extractors live now and where would I add one?
2) What is the best way to extend the JWT TokenWebApplicationService (if 
that's even the right starting point)?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/814a8663-85d1-4b9b-87f2-de4e76730bcd%40apereo.org.

Re: [cas-user] Using CAS 5.2.0 is it possible to force users to configure their custom security questions when the user login for the 1st time?

2018-01-23 Thread Ray Bon 
You can modify the login webflow, 
https://apereo.github.io/cas/5.2.x/installation/Webflow-Customization.html to 
add custom security questions page.
There is a section on password management, 
https://apereo.github.io/cas/5.2.x/installation/Password-Management.html
There are also various aspects to authentication, 
https://apereo.github.io/cas/5.2.x/installation/Configuring-Authentication-Components.html

Ray

On Mon, 2018-01-22 at 17:08 -0800, casuser wrote:
I am currently using CAS 5.2.0 and I have few questions regarding Password 
reset security questions. Is there a way

  1.  to force users to configure their custom security questions when the user 
login for the 1st time?
  2.  password change lockout with too many incorrect security question 
attempts?
  3.  allow administrator to predefine a list of security questions?


By the way CAS is amazing and I want to thank the developers behind it. Awesome 
work.


-Fazla

--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1516730446.1802.20.camel%40uvic.ca.

Re: [cas-user] CAS 5.2.1 report failed authentications as AUTHENTICATION_SUCCESS

2018-01-23 Thread Oscar del Pozo 
Hi,

I've made a pull request  solving this 
issue: https://github.com/apereo/inspektr/pull/10. It has been already 
approved.

El viernes, 19 de enero de 2018, 16:47:02 (UTC+1), Ben Howell-Thomas 
escribió:
>
> Might have solved it.
>
> To confirm what Mohsen said, seems fine in 5.2.0.
>
> Between 5.2.0 and 5.2.1 the inspektrVersion goes up from 1.7.0 to 1.7.1.GA
> . 
>
> Between them, ah - I think I may have found it 
> - org.apereo.inspektr.audit.AuditTrailManagementAspect changes line 141 
> from :
>
> } catch (final Exception e) {
>
>
> to 
>
> } catch (final Throwable e) {
>
>
> I think I remember reading that polymorphism type things are worked out at 
> compile time.  If it's treating the AuthenticationException as a Throwable 
> then that's not an Exception (since Exception is a sub-class of Throwable) 
> but it is an Object, hence it calls the org.apereo.inspektr.audit.spi.
> support.DefaultAuditActionResolver.resolveFrom method that uses the 
> Object parameter and is therefore considered a success.
>
> This looks like a side effect of this commit to Inspektr:
>
>>
>> Commit: a51eefbc0fe6619bb651b91a99f44bb6d262e744 [a51eefb]
>> Parents: 8a07750485, 0cdde58bcc
>> Author: Misagh Moayyed 
>> Date: 06 March 2017 16:17:35
>> Committer: GitHub 
>> Merge pull request #8 from vvidovic/cherry-pick
>> Fix: auditing on Erorr (not only Exception)
>
>
> @Misagh/Apereo/everyone - Hope that's been helpful.  I'm sorry but I 
> haven't got time to submit a patch (partly because upgrading to 5.2 has 
> taken so long ;).  If it's not something anyone's likely to pick up I could 
> maybe look at it next week.
>
> blessings,
>
> Ben
>
> On 19 January 2018 at 14:52, Jeffrey Ramsay  > wrote:
>
>> How are you getting these statements in your logs? I can produce them 
>> since upgrading to 5.1 and it was used for our Splunk system.
>>
>> > level="info" additivity="false" includeLocation="true">
>> 
>> 
>> 
>>
>> -Jeff
>>
>> On Thu, Jan 11, 2018 at 2:35 AM, Mohsen Ebrahimi > > wrote:
>>
>>> Hello
>>>
>>> It works fine in 5.2. I think it's a bug.
>>>
>>> Thank you
>>>
>>>
>>> 2018-01-11 02:18:15,693 WARN 
>>> [org.apereo.cas.authentication.LdapAuthenticationHandler] - >> failed. [DN cannot be null]>
>>> 2018-01-11 02:18:15,694 ERROR 
>>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
>>> >> authentication handler that supports [wronguser] of type 
>>> [UsernamePasswordCredential].>
>>> 2018-01-11 02:18:15,697 INFO 
>>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - >> trail record BEGIN
>>> =
>>> WHO: wronguser
>>> WHAT: Supplied credentials: [wronguser]
>>> ACTION: AUTHENTICATION_SUCCESS
>>> APPLICATION: CAS
>>> WHEN: Thu Jan 11 02:18:15 EST 2018
>>>
>>> -- 
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to cas-user+u...@apereo.org .
>>> To view this discussion on the web visit 
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/5d686a56463686a943ec76d5ae0fde8f%40of.iut.ac.ir
>>>  
>>> 
>>> .
>>>
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOTrvbTAyo%3DGWR9vt6%2B4ZGWiUiC4x_M4FW06Mr60y6%2BNpw%40mail.gmail.com
>>  
>> 
>> .
>>
>
>
> This email is sent on behalf of Northgate Public Services (UK) Limited and 
> its associated companies including Rave Technologies (India) Pvt Limited 
> (together "Northgate Public Services") and is strictly confidential and 
> intended solely for the addressee(s). 
> If you are not the intended recipient of this email you must: (i) not 
> disclose, copy or distribute its contents to any other person nor use its 
> contents in any way or you may be acting unlawfully;  (ii) contact 
> Northgate Public Services immediately on

[cas-user] pac4j Google2Client auth delegation: How to unauthorize a profile?

2018-01-23 Thread Oscar del Pozo 
Hi!

I'm migrating from CAS 4.0.5 to 5.2.1 and everything has gone perfect but 
I'm facing a problem with the Google OAuth authentication.

I have configured a delegate authentication to Google with pac4j 
successfully but I need to make a modification, only allow the emails which 
end with *@companyname.com *(I do agree that this kind of things should not 
be done at CAS because this is about authorization and not authentication, 
but I have to)

I have added a new AuthorizationGenerator to the Google2Client instance so, 
after the retrieve the user profile with the *Google2ProfileDefinition *class, 
I make my validation and in case that the user email is not a valid one, I 
set the profile identifier no blank. The blank identifier causes a 
*FailedLoginException 
*at *AbstractPac4jAuthenticationHandler.*

Everything seems to work fine but finally, I get the following exception 
and the CAS error page is shown.
 

2018-01-23 15:58:48,581 DEBUG 
> [org.pac4j.oauth.profile.creator.OAuth20ProfileCreator] -  access_token: ya29.Glx... to profile>
> 2018-01-23 15:58:48,581 DEBUG 
> [org.pac4j.oauth.profile.google2.Google2Profile] -  key: 
> access_token / value:XXX-XXX / class java.lang.String>
> 2018-01-23 15:58:48,581 DEBUG [org.pac4j.oauth.client.Google2Client] - 
>  {name.familyName=del Pozo, 
> emails=[org.pac4j.oauth.profile.google2.Google2Email@64f6a901], 
> access_token=..., gender=MALE, displayName=Oscar del Pozo, 
> name.givenName=Oscar, ... |>
> 2018-01-23 15:58:49,599 WARN 
> [org.apereo.cas.support.pac4j.oauth.MyProfileAuthorizationGenerator] 
> - 
> 2018-01-23 15:58:49,599 DEBUG 
> [org.pac4j.oauth.profile.google2.Google2Profile] 
> - 
> 2018-01-23 15:58:51,789 ERROR 
> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
>  authentication handler that supports 
> [org.apereo.cas.authentication.principal.ClientCredential@2f8fc6b0[id=]]
>  
> of type [ClientCredential].>
> 2018-01-23 15:58:53,216 INFO 
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -  trail record BEGIN
> =
> WHO: null
> WHAT: Supplied credentials: 
> [org.apereo.cas.authentication.principal.ClientCredential@2f8fc6b0[id=]]
> ACTION: AUTHENTICATION_SUCCESS   (This is a reported bug, the 
> authentication has actually failed: 
> https://github.com/apereo/inspektr/pull/10)
> APPLICATION: CAS
> WHEN: Tue Jan 23 15:58:53 CET 2018
> CLIENT IP ADDRESS: 192.168.56.1
> SERVER IP ADDRESS: 192.168.56.1
> =
> >
> 2018-01-23 15:58:53,247 ERROR 
> [org.springframework.boot.web.support.ErrorPageFilter] -  error page from request [/login] due to exception [Exception thrown 
> executing 
> org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction@848f27e
>  
> in state 'clientAction' of flow 'login' -- action execution attributes were 
> 'map[[empty]]']>

at 
> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:60)
>  
> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
> at 
> org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)
>  
> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
> at 
> org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
>  
> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] 
> [...]
> Caused by: org.apereo.cas.authentication.AuthenticationException: 1 
> errors, 0 successes
> at 
> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.evaluateFinalAuthentication(PolicyBasedAuthenticationManager.java:400)
>  
> ~[cas-server-core-authentication-5.2.1.jar:5.2.1]
> at 
> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticateInternal(PolicyBasedAuthenticationManager.java:380)
>  
> ~[cas-server-core-authentication-5.2.1.jar:5.2.1]
> at 
> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticate(PolicyBasedAuthenticationManager.java:220)
>  
> ~[cas-server-core-authentication-5.2.1.jar:5.2.1]



Is my approach correct?. Is it possible to do not show this CAS error and 
go to the 403 view?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b4a8894e-1672-4c52-84e4-707f517454af%40apereo.org.

Re: [cas-user] Allowing alternate identifiers for username

2018-01-23 Thread Mohsen Ebrahimi 

If your backend is ldap you can do some tricks with ldap filter. For example:

cas.authn.ldap[0].userFilter=(|(uid={user})(&(!(uid=*))(|(mail={user}@mail2.domain)(mail={user}@mail.domain




 

-Original Message-
From: "Dusty Edenfield" 
To: "CAS Community" 
Date: 03 Bah 1396 00:28
Subject: [cas-user] Allowing alternate identifiers for username

Is there a way to allow for different formats for username in CAS?  For 
example, we have had some users ask if username@domain could be accepted as 
well as the usual username to eliminate confusion.  
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/bbc4434d-18fc-4383-bafc-b88f9aa539b0%40apereo.org.


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/06e1def600545b2420069b7c2d9ca369%40of.iut.ac.ir.

[cas-user] Ip changed to Host name

2018-01-23 Thread Ramakrishna G 
Hello all,,


I am using mod_auth_cas. While i hit cas url I give ip and cas 
automatically change it to host name. Can anyone suggest how to stop this?


Eg: my url: https://192.168.111.XX => It redirets to my cas url as 
https://192.168.111.XX:9443/cas/login?service=https%3a%2f%2fclient.XX.local%2f

instead of client.XX.local I need my ip itself in service.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5aeba920-bea4-43ea-8efd-9bc284e885a3%40apereo.org.

Re: [cas-user] Inspektr audit says AUTHENTICATION_SUCCESS on authentication failures

2018-01-23 Thread Oscar del Pozo 
Thanks!

El martes, 23 de enero de 2018, 12:50:29 (UTC+1), Dmitriy Kopylenko 
escribió:
>
> https://github.com/apereo/inspektr
>
> D. 
>
>
>
>
> On Tue, Jan 23, 2018 at 5:38 AM -0500, "Oscar del Pozo" <
> oscard...@gmail.com > wrote:
>
> There is a bug in the module inspektr-audit-1.7.1.GA when an Exception is 
>> thrown on an authentication process that ends logging the authentication as 
>> successfully:
>>
>> Logs:
>>
>> 2018-01-23 11:18:18,583 ERROR 
>>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
>>> >> has failed. Credentials may be incorrect or CAS cannot find 
>>> authentication handler that supports 
>>> [org.apereo.cas.authentication.principal.ClientCredential@77d80cf8[id=]]
>>>  
>>> of type [ClientCredential].>
>>> 2018-01-23 11:18:57,038 INFO 
>>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - >> trail record BEGIN
>>> =
>>> WHO: null
>>> WHAT: Supplied credentials: 
>>> [org.apereo.cas.authentication.principal.ClientCredential@77d80cf8[id=]]
>>> ACTION: AUTHENTICATION_SUCCESS
>>> APPLICATION: CAS
>>> WHEN: Tue Jan 23 11:18:57 CET 2018
>>> CLIENT IP ADDRESS: 192.168.56.1
>>> SERVER IP ADDRESS: 192.168.56.1
>>> =
>>
>>
>> The bug is located at 
>> *org.apereo.inspektr.audit.AuditTrailManagementAspect@handleAuditTrail(final 
>> ProceedingJoinPoint joinPoint, final Audit audit) throws Throwable*:
>>
>> @Around(value = "@annotation(audit)", argNames = "audit")
>> public Object handleAuditTrail(final ProceedingJoinPoint joinPoint, 
>> final Audit audit) throws Throwable {
>> final AuditActionResolver auditActionResolver = 
>> this.auditActionResolvers.get(audit.actionResolverName());
>> final AuditResourceResolver auditResourceResolver = 
>> this.auditResourceResolvers.get(audit.resourceResolverName());
>>
>> String currentPrincipal = null;
>> String[] auditResource = new String[]{null};
>> String action = null;
>> Object retVal = null;
>> try {
>> retVal = joinPoint.proceed();
>>
>> currentPrincipal = 
>> this.auditPrincipalResolver.resolveFrom(joinPoint, retVal);
>> auditResource = auditResourceResolver.resolveFrom(joinPoint, 
>> retVal);
>> action = auditActionResolver.resolveFrom(joinPoint, retVal, 
>> audit);
>>
>> return retVal;
>> } catch (final Throwable e) {
>> currentPrincipal = 
>> this.auditPrincipalResolver.resolveFrom(joinPoint, e);
>> auditResource = auditResourceResolver.resolveFrom(joinPoint, 
>> e);
>> action = auditActionResolver.resolveFrom(joinPoint, e, 
>> audit);
>> throw e;
>> } finally {
>> executeAuditCode(currentPrincipal, auditResource, joinPoint, 
>> retVal, action, audit);
>> }
>> }
>>
>> The problem here is that the auditActionResolver has two methods:
>>
>> String resolveFrom(JoinPoint auditableTarget, Object retval, Audit audit);
>>
>> String resolveFrom(JoinPoint auditableTarget, Exception exception, Audit 
>> audit);
>>
>> When we try to invoke the second one, we have to cast the exception e to 
>> do not enter in the first method, where the success suffix will be applied 
>> to the audit log.
>>
>> To fix this, the catch block  should be
>>
>> } catch (final Throwable e) {
>> currentPrincipal = 
>> this.auditPrincipalResolver.resolveFrom(joinPoint, e);
>> auditResource = auditResourceResolver.resolveFrom(joinPoint, 
>> e);
>> action = auditActionResolver.resolveFrom(joinPoint, 
>> (Exception) e, audit);
>> throw e;
>> }
>>
>> I would make a pull-request, but I haven't found the source code at 
>> github.
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/019cf236-26be-4c3d-97e6-0bb731b8217e%40apereo.org
>>  
>> 
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on

[cas-user] Inspektr audit says AUTHENTICATION_SUCCESS on authentication failures

2018-01-23 Thread Oscar del Pozo 
There is a bug in the module inspektr-audit-1.7.1.GA when an Exception is 
thrown on an authentication process that ends logging the authentication as 
successfully:

Logs:

2018-01-23 11:18:18,583 ERROR 
> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
>  has failed. Credentials may be incorrect or CAS cannot find 
> authentication handler that supports 
> [org.apereo.cas.authentication.principal.ClientCredential@77d80cf8[id=]]
>  
> of type [ClientCredential].>
> 2018-01-23 11:18:57,038 INFO 
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -  trail record BEGIN
> =
> WHO: null
> WHAT: Supplied credentials: 
> [org.apereo.cas.authentication.principal.ClientCredential@77d80cf8[id=]]
> ACTION: AUTHENTICATION_SUCCESS
> APPLICATION: CAS
> WHEN: Tue Jan 23 11:18:57 CET 2018
> CLIENT IP ADDRESS: 192.168.56.1
> SERVER IP ADDRESS: 192.168.56.1
> =


The bug is located at 
*org.apereo.inspektr.audit.AuditTrailManagementAspect@handleAuditTrail(final 
ProceedingJoinPoint joinPoint, final Audit audit) throws Throwable*:

@Around(value = "@annotation(audit)", argNames = "audit")
public Object handleAuditTrail(final ProceedingJoinPoint joinPoint, 
final Audit audit) throws Throwable {
final AuditActionResolver auditActionResolver = 
this.auditActionResolvers.get(audit.actionResolverName());
final AuditResourceResolver auditResourceResolver = 
this.auditResourceResolvers.get(audit.resourceResolverName());

String currentPrincipal = null;
String[] auditResource = new String[]{null};
String action = null;
Object retVal = null;
try {
retVal = joinPoint.proceed();

currentPrincipal = 
this.auditPrincipalResolver.resolveFrom(joinPoint, retVal);
auditResource = auditResourceResolver.resolveFrom(joinPoint, 
retVal);
action = auditActionResolver.resolveFrom(joinPoint, retVal, 
audit);

return retVal;
} catch (final Throwable e) {
currentPrincipal = 
this.auditPrincipalResolver.resolveFrom(joinPoint, e);
auditResource = auditResourceResolver.resolveFrom(joinPoint, e);
action = auditActionResolver.resolveFrom(joinPoint, e, audit);
throw e;
} finally {
executeAuditCode(currentPrincipal, auditResource, joinPoint, 
retVal, action, audit);
}
}

The problem here is that the auditActionResolver has two methods:

String resolveFrom(JoinPoint auditableTarget, Object retval, Audit audit);

String resolveFrom(JoinPoint auditableTarget, Exception exception, Audit 
audit);

When we try to invoke the second one, we have to cast the exception e to do 
not enter in the first method, where the success suffix will be applied to 
the audit log.

To fix this, the catch block  should be

} catch (final Throwable e) {
currentPrincipal = 
this.auditPrincipalResolver.resolveFrom(joinPoint, e);
auditResource = auditResourceResolver.resolveFrom(joinPoint, e);
action = auditActionResolver.resolveFrom(joinPoint, (Exception) 
e, audit);
throw e;
}

I would make a pull-request, but I haven't found the source code at github.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/019cf236-26be-4c3d-97e6-0bb731b8217e%40apereo.org.

Re: [cas-user] Problem integrating CAS 5.2.0 with ORCID and FACEBOOK.

2018-01-23 Thread Jérôme LELEU 
Hi,

In pac4j, you can set the scope of the Orcid client. It doesn't seem
possible within the CAS server:
https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#orcid

That said, this is easy to change: don't hesitate to submit a PR for that
in the CAS project.

What would be the right default scope to change that in pac4j:
https://github.com/pac4j/pac4j/blob/master/pac4j-oauth/src/main/java/org/pac4j/oauth/client/OrcidClient.java#L18
?

Thanks.
Best regards,
Jérôme


On Mon, Jan 22, 2018 at 3:19 PM, Neha Gupta  wrote:

> Hello Jérôme,
>
> I posted the reply last week but seems it lost somewhere. So posting it
> again: -
>
> *ORCID: -*
> Problem seems to be with scope. Please see the URL where new scopes are
> described and also had a talk with ORCID support and according to them the
> scope /orcid-profile belongs to an older version of API. Current 2.1 API
> only supports scopes mentioned in the link.
>
> https://members.orcid.org/api/oauth/orcid-scopes
>
> FACEBOOK: -
> After defining correctly the "App Domain" and "Site URL" delegation to
> facebook started working.
>
>
> Thanks a lot for your support.
>
> Regards
> Neha Gupta
>
> On Tuesday, January 16, 2018 at 10:55:11 AM UTC+1, leleuj wrote:
>>
>> Hi,
>>
>> 1) Orcid
>>
>> The URL looks good: I would try another value for the scope. Have you
>> taken a look at the documentation?
>>
>> 2) Facebook
>>
>> I opened the Facebook console, and I see a "Facebook login" item in the
>> left menu with a "Parameters" submenu, in which you have several flags to
>> enable, especially "web OAuth connection": is this checked? There is also a
>> "redirection URL" input field you may need to fill, depending on the
>> version of your FB app.
>>
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>> On Mon, Jan 15, 2018 at 2:43 PM, Neha Gupta  wrote:
>>
>>> Hello Jérôme,
>>>
>>> Below is the update
>>>
>>> *ORCID: -*
>>>
>>> The URL which is getting called before is "http://www.orcid.org/oauth/au
>>> thorize/?client_id=xxx=%2Forcid-profile%2Fread-limited
>>> _type=code_uri=https%3A%2F%2Fdesktop-
>>> d8r3ca4%3A8443%2Fcas%2Flogin%3Fclient_name%3Dorcid"
>>>
>>> After seeing the Network calls it seems that 301 and 302 status code are
>>> being thrown in response of the above URL.
>>>
>>> *FACEBOOK:- *
>>> In facebook app console i don't see any place for callback URL.Fields as
>>> shown in attached snapshot are only available.
>>>
>>>
>>> Thanks a lot for your support.
>>>
>>>
>>> Regards
>>> Neha Gupta
>>>
>>>
>>>
>>>
>>> On Friday, January 12, 2018 at 3:03:22 PM UTC+1, leleuj wrote:

 Hi,

 Please don't output your id and secret in your emails!

 - Orcid:

 I think there is an URL called before the one given in the error
 message, it should be something like http://www.orcid.org/oaut
 h/authorize/xxx (https://github.com/pac4j/pac4j/blob/master/
 pac4j-oauth/src/main/java/org/pac4j/scribe/builder/api/
 OrcidApi20.java#L20)

 Can you post it here?

 - Facebook:

 Are you sure you defined the callback URL: https://desktop-d8r3ca4:8
 443/cas/login?client_name=Facebook in your Facebook app console?

 Thanks.
 Best regards,
 Jérôme


 On Fri, Jan 12, 2018 at 10:57 AM, Neha Gupta 
 wrote:

> Dear CAS people,
>
> Good morning!
>
> I am trying to delegate CAS authentication to Orcid and Facebook and
> as such created war file after updating "pom.xml" and "cas.properties" as
> follows: -
>
> *pom.xml*
>
> 
> org.apereo.cas
> cas-server-support-pac4j-webflow
> 5.2.0
> 
> 
>
> *cas.properties*
>
>  cas.authn.pac4j.orcid.id=xxx
>  cas.authn.pac4j.orcid.secret=yyy
>  cas.authn.pac4j.orcid.clientName=orcid
>
> and similarly given for Facebook as well but when i am trying to do so
> i am getting error with both Orcid and Facebook
>
> *Problem with ORCID: -*
>
> "There has been a problem with the server". If problem persists please
> contact ORCID support.  URL which CAS is hitting is "
> https://orcid.org/signin?oauth#show_login; which seems
> little weird to me. I already contacted Orcid support group but according
> to them there is no problem at their end and asked me to look into the 
> URL.
>
> *Problem with Facebook: -*
>
> "Sorry something went wrong"*. *URL which CAS is hitting is
> "https://www.facebook.com/v2.8/dialog/oauth?response_type=co
> de_id=476366362744200_uri=https%3A%2F%
> 2Fdesktop-d8r3ca4%3A8443%2Fcas%2Flogin%3Fclient_name%
> 3DFacebook=email%2Cuser_likes%2Cuser_about_me%2Cuser_
> birthday%2Cuser_education_history%2Cuser_hometown%
> 2Cuser_relationship_details%2Cuser_location%2Cuser_
> religion_politics%2Cuser_relationships%2Cuser_work_
>