Re: [cas-user] Re: How to get google attributes in PAC4J

[Andy Ng]

Hello,

What version of CAS are you in? If you are in CAS > 5.3.9 (or the latest 
CAS 6.x), since Pac4j is updated to 3.6.1:

You should see that *emails *is no longer there and there is an *email 
*attribute 
instead (which is in plain string)

So you can get that very easily, no need to decode handle Google2Email.


See if the above helps you

Cheers!
- Andy

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1a97f300-c54c-4773-adf4-c3fba4571b9c%40apereo.org.

Re: [cas-user] Re: CAS ver >=6.0.0 is not working for 'TARGET' service parameter

['Robert Bond' via CAS Community]

We tried using Ellucian's WSO2. We did not enjoy it. We tried using it in
in 2016. At that time Ellucian was super behind the real WSO2 project at
time. At the same time they had modified it in ways where trying to use
WSO2's documentation was problematic.

I have been super happy with cas, the documentation can be trying
sometimes, but the project is very alive.

I have seen Ellucian trying to convince people that "Ethos" (Who knows what
Ethos even means) is required. We have been able to do everything without
it and have the flexibility to truly SSO with the rest of our systems.

On Thu, Mar 14, 2019 at 7:48 AM mbar...@scad.edu  wrote:

> Robert,
>
> You are welcome, but I'm just learning about this version of CAS myself.
> I'm glad that helped.
>
> We've been using Ellucian's Luminis version of CAS for years.  I think
> that's still at 3x something, and I never had to do much configuration with
> it.  We've been using that version with Banner 9 for over a year now with
> no issues.
>
> But now we're looking at switching to a standalone CAS.  Ellucian is
> switching over to WSO2 and we're not sure we want to use that product.
> Plus the current version of CAS has several features we could use and being
> not so tied to Ellucian should give us more control.
>
> Thanks,
> Mike
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6bebfd84-41e3-4303-9f06-5ff32b588d13%40apereo.org
> 
> .
>


-- 
Robert Bond
Application Developer / System Administrator
(918) 444-5936
Northeastern State University

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOA9z6rq6Tbecn-9KdtDWgfHDe8ZA2w6khFwzF3wuFkv43NSOA%40mail.gmail.com.

[cas-user] Re: Configure single datasource

[Misagh Moayyed]

The only way I know how, besides writing code, is if you setup a data 
source via JNDI and then set the name of that data source in CAS settings 
for authentications and audits.

https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties-Common.html#container-based-jdbc-connections

On Thursday, March 7, 2019 at 5:14:14 AM UTC-7, Diego Henrique Pagani wrote:
>
> Hello guys,
>
> I'm setting up CAS 6.0.1 searching for users on a database and also 
> configured the audit, which can use the same connection pool as the 
> database. 
> I'm trying to configure is that a single datasource, with connection pool 
> sharing between this two modules (and maybe others) functionalities of CAS, 
> but I'm not able to find how can I do it.
>
> What am I missing ? 
>
> Thanks!
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7e57115b-9938-4736-b365-f23261ff762e%40apereo.org.

Re: [cas-user] Re: How to get google attributes in PAC4J

[Indika Munaweera]

I am having the same issue. 
 [result=Service Access 
Granted,service=http://localhost:/login/cas,principal=SimplePrincipal(id=102313159136078677102,
 
attributes={access_token=[ya29.GlzMBibZB2IIac9qMvpdqQ3ZqOufogMmVCkDFvsSG3-qM88mb_Sa-CgNcK0LLHFxO4TJ_ugz7uiTDFUOW7YTi_PXVgVTmuIGYWSdzt11pPpVoxfc6s66OK1DcTJRvw],
 
displayName=[Indika Munaweera], 
emails=[org.pac4j.oauth.profile.google2.Google2Email@6b8a5964], 
image.url=[https://lh3.googleusercontent.com/-r9n1gDd0euo/AAI/Brw/YFvvFzZ25T4/s50/photo.jpg],
 
language=[en], name.familyName=[Munaweera], 
name.givenName=[Indika]}),requiredAttributes={}]

I need emails=[org.pac4j.oauth.profile.google2.Google2Email@6b8a5964]object 
in JSON format as the other values. 

Any help is highly appreciated. 

Thanks,

On Friday, October 27, 2017 at 1:21:50 AM UTC+5:30, leleuj wrote:
>
> Hi,
>
> It should work. The authentication delegation is handled by the 
> ClientAction or DelegatedClientAuthenticationAction class (the name has 
> changed over versions) which uses the ClientAuthenticationHandler. In this 
> handler, the user profile attributes are used to build the SimplePrincipal: 
> when you turn on the DEBUG logs on org.jasig/org.apereo, what do you see 
> for the built principal?
> Thanks.
> Best regards,
> Jérôme
>
>
> On Thu, Oct 26, 2017 at 6:28 AM, Edward  > wrote:
>
>> Hi All,
>> Thank you very much for your response:
>>
>> 1. my scope for google is:
>> cas.authn.pac4j.google.scope=EMAIL_AND_PROFILE
>>
>> 2. after add logging.level.org.pac4j=DEBUG
>> i can see in the log that google return lot of attributes:
>> 2017-10-26 11:56:34,573 INFO 
>> [org.pac4j.oauth.profile.creator.OAuth20ProfileCreator] - >  "kind": "plus#person",
>>  "etag": "\"xx/x\"",
>>  "emails": [
>>   {
>>"value": "x.x...@gmail.com ",
>>"type": "account"
>>   }
>>  ],
>>  "objectType": "person",
>>  "id": "15125125125125",
>>  "displayName": "xx",
>>  "name": {
>>   "familyName": "X",
>>   "givenName": "Xxx"
>>  },
>>  "url": "https://plus.google.com/15125125125125;,
>>  "image": {
>>   "url": "
>> https://lh4.googleusercontent.com/-XFxyqk/XXX/XXXcv/-XXXasaXX/photo.jpg?sz=50
>> ",
>>   "isDefault": false
>>  },
>>  "isPlusUser": true,
>>  "language": "en_GB",
>>  "circledByCount": 6,
>>  "verified": false
>> }
>> >
>>
>> but the final user profile JSON string i got is still the same, not the 
>> full one like above.
>> {
>>   "attributes":
>>   {
>> "clientName": "Google"
>>   },
>>   "id": "15125125125125"
>> }
>>
>>
>> 3. this is how i get CAS user profile :
>> HttpClient client = new HttpClient();
>> tring profileUrl = "
>> https://mydomain.dom.com:8443/cas/oauth2.0/profile?access_token=AT-5-BXWqunDZXTVBZT6jSC6bjqfqodO7JStxJUf
>> ";
>> GetMethod method = new GetMethod(profileUrl);
>> client.executeMethod(method);
>> resultStr = method.getResponseBodyAsString();
>> //*resultStr* only contain above JSON string.
>>
>> 4. in the service configuration:
>> {
>>   @class: org.apereo.cas.support.oauth.services.OAuthRegisteredService
>>   serviceId: ^https://mydomain.dom.com:8443/cas-users-management/.*
>>   name: CAS User Management
>>   id: 1506918968305
>>   description: CAS user management
>>   proxyPolicy:
>>   {
>> @class: org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy
>>   }
>>   evaluationOrder: 0
>>   usernameAttributeProvider:
>>   {
>> @class: 
>> org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider
>> canonicalizationMode: NONE
>> encryptUsername: false
>>   }
>>   attributeReleasePolicy:
>>   {
>> @class: org.apereo.cas.services.*ReturnAllAttributeReleasePolicy*
>> principalAttributesRepository:
>> {
>>   @class: 
>> org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository
>>   expiration: 2
>>   timeUnit: HOURS
>> }
>> authorizedToReleaseCredentialPassword: false
>> authorizedToReleaseProxyGrantingTicket: false
>> excludeDefaultAttributes: false
>>   }
>>
>> ..
>>
>> i still cannot get the additional attributes from google. 
>> Any suggestion? 
>>
>> Thanks!
>>
>>>
>>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6c9869dc-f7d4-42d7-9aba-c846d2fb810c%40apereo.org
>>  
>> 
>> .
>>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: 

Re: [cas-user] Infinite loop problem between Cas Server and Cas Services Management

[Julio Dehesa Martin]

Hi! 

I have the same problem, did you find the solution?

Thanks!

On Thursday, February 9, 2017 at 8:18:19 AM UTC+1, Ayé Rayé wrote:
>
> Hello everyone and thank you for your feedback.
> I made a gross mistake of not looking at all Tomcat logs. I only came to 
> catalina.log thinking that all the traces were there. Last night after 
> reading your returns, I took a look in tomcat8-stdout.2017-02-08.log and 
> there ban i see :
>
> 2017-02-08 12:48:02,739 DEBUG 
> [org.pac4j.core.engine.J2ERenewSessionCallbackLogic] -  | callbackUrl: https://cas.mgmt:8443/callback?client_name=CasClient | 
> configuration: #CasConfiguration# | loginUrl: 
> https://cas.server:8443/login | prefixUrl: https://cas.server:8443/ | 
> protocol: CAS30 | renew: false | gateway: false | encoding: UTF-8 | 
> logoutHandler: org.pac4j.cas.logout.CasSingleSignOutHandler@1cec1ab8 | 
> acceptAnyProxy: false | allowedProxyChains: [] | proxyReceptor: null | 
> timeTolerance: 1000 | |>
> 2017-02-08 12:48:02,739 DEBUG 
> [org.pac4j.cas.credentials.extractor.TicketAndLogoutRequestExtractor] - 
>  ST-8-qvCl1FXsvQVHKtvcyyvp-MW7Dkmzd | clientName: CasClient |>
> 2017-02-08 12:48:02,774 ERROR [org.jasig.cas.client.util.CommonUtils] - 
>  found*>
> javax.net.ssl.SSLHandshakeException: 
> java.security.cert.CertificateException: *No name matching cas.server 
> found*
> at sun.security.ssl.Alerts.getSSLException(Unknown Source) ~[?:1.8.0_77]
> at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source) ~[?:1.8.0_77]
> at sun.security.ssl.Handshaker.fatalSE(Unknown Source) ~[?:1.8.0_77]
> at sun.security.ssl.Handshaker.fatalSE(Unknown Source) ~[?:1.8.0_77]
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) 
> [?:1.8.0_77]
> at 
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>  
> [tomcat-util.jar:8.5.9]
> at java.lang.Thread.run(Unknown Source) [?:1.8.0_77]
> Caused by: java.security.cert.CertificateException: No name matching 
> cas.server found
> at sun.security.util.HostnameChecker.matchDNS(Unknown Source) ~[?:1.8.0_77]
> at sun.security.util.HostnameChecker
>
> I will then generate other keystores in agreement with my hostnames and 
> continue my POC. I keep you informed of the outcome.  It may be useful for 
> other people in the same situation.
> A big thank to you. Very good job on Cas Server and Cas Services 
> Management.
>
> Ayé Rayé
>
>
> Le mercredi 8 février 2017 22:20:03 UTC+1, Misagh Moayyed a écrit :
>>
>>
>> https://apereo.github.io/cas/development/installation/Troubleshooting-Guide.html
>>  
>>
>> --Misagh 
>>
>> -Original Message- 
>> From: cas-...@apereo.org [mailto:cas-...@apereo.org] On Behalf Of Uxío 
>> Prego 
>> Sent: Wednesday, February 8, 2017 10:02 PM 
>> To: cas-...@apereo.org 
>> Subject: Re: [cas-user] Infinite loop problem between Cas Server and Cas 
>> Services Management 
>>
>> Bonsoir, bienvenue á la liste. 
>>
>> > No one has a solution for my problem? 
>>
>> Probably someone has a solution for your problem. That does not 
>> necessarily 
>> mean s/he is going to share a solution soon, even ever. Keep working on 
>> your 
>> own while you wait for answers and feel free to answer yourself to help 
>> others if you get the solution to your problem. 
>>
>> > What's my mistake? 
>>
>> I don't know, I am not CAS 5 enabled yet. But I have seen similar 
>> problems 
>> in CAS 3. There, (not necessarily now too) misconfiguration or 
>> customisation 
>> can cause a very similar redirect loop. In that case, I could solve it, 
>> using CAS server debugging. 
>>
>> > Can you help me to have the right configuration please? 
>>
>> Sadly, not me. 
>>
>> Regards, 
>>
>> > On 8 Feb 2017, at 19:30, Ayé Rayé  wrote: 
>> > 
>> > Hi all, 
>> > 
>> > No one has a solution for my problème ? 
>> > 
>> > 
>> > 
>> > Le mercredi 8 février 2017 15:31:58 UTC+1, Ayé Rayé a écrit : 
>> > Hello, 
>> > I have an infinite loop problem with my configuration on Cas Server and 
>> > Cas Services Management. I precise I use the latest version of Cas 
>> Server, 
>> > 5.0.2 . And for Cas Services Management I used  Maven war overlay on 
>> > master branch. After authentication with casuser I enter in a loop with 
>> > two urls: 
>> > 
>> > https://cas.server:8443/login?service=https%3A%2F%2Fcas.mgmt%3A8443%2F 
>> > callback%3Fclient_name%3DCasClient 
>> > 
>> > and 
>> > 
>> > 
>> https://cas.mgmt:8443/callback?client_name=CasClient=ST-20-1XvJaiZgJ6zW7o2lJRyp-MW7Dkmzd
>>  
>> > with a new ST ticket each time. 
>> > 
>> > 
>> > What's my mistake? Can you help me to have the right configuration 
>> please 
>> > ? 
>> > 
>> > I have added as attachments the configuration of the two applications. 
>> > 
>> > - application.properties for Cas Services Management 
>> > - bootstrap.properties for Cas Services Management 
>> > - management.properties for Cas Services Management 
>> > - cas-management.log for Cas Services Management 
>> > 
>> > - cas.log for Cas Sever 
>> > - cas.properties for Cas 

Re: [cas-user] Re: CAS ver >=6.0.0 is not working for 'TARGET' service parameter

[mbar...@scad.edu]

Robert,

You are welcome, but I'm just learning about this version of CAS myself.  
I'm glad that helped.  

We've been using Ellucian's Luminis version of CAS for years.  I think 
that's still at 3x something, and I never had to do much configuration with 
it.  We've been using that version with Banner 9 for over a year now with 
no issues.

But now we're looking at switching to a standalone CAS.  Ellucian is 
switching over to WSO2 and we're not sure we want to use that product.  
Plus the current version of CAS has several features we could use and being 
not so tied to Ellucian should give us more control.

Thanks,
Mike

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6bebfd84-41e3-4303-9f06-5ff32b588d13%40apereo.org.

Re: [cas-user] Re: interfacing CAS with angular 7 applications

[Ian Wright]

The same thought had occurred to me

At the moment I'm only using it for a proof of concept where the auth isn't 
that important so I haven't looked into/thought about it too much, at least 
not yet, and I know I should!, so I'd be happy to hear any thoughts on this.

I guess there's (very) limited protection in the service url pattern 
matching and by having a short token expiration time (although need to 
balance that with the overhead of refreshing the token)

Not sure if it would be better with oidc than oauth, something else I 
should probably look into...

On Wednesday, 13 March 2019 21:02:44 UTC, Trenton D. Adams wrote:
>
> It sounds very much like it's open to an easy exploit, where an attacker 
> just says "I'm person X, give me access", by overriding the javascript on 
> the client side.  Anything done in the browser cannot be trusted, 
> especially when it comes to authentication.
> On 3/13/19 3:28 AM, Ian Wright wrote:
>
>
> Yes it is browser client side and does authenticate the client side app 
> against CAS without any server side interactions.
>
> What it also allows is, once you've auth'ed the client app, that you can 
> use the bearer token to auth against a server side app as well.
>
> On Tuesday, 12 March 2019 22:39:46 UTC, Trenton D. Adams wrote: 
>>
>> So, I mean, as in browser client side.
>>
>> So are you saying that this module is passing cas validation to the 
>> server side for the server to do the ticket validation?
>> On 3/12/19 10:21 AM, Ian Wright wrote:
>>
>> I'm not quite sure what you mean but yes it's client only.
>>
>> For context I have an openapi based application using the generator for 
>> typescript-angular on the client side.
>>
>> The angular-oauth2-oidc component allows a bearer token to be passed 
>> through to the server side
>>
>> My server side is also generated from the openapi spec - I'm using 
>> python-flask for development and AWS lambda elsewhere - the python-flask 
>> generated code works out of the box and it's a little more effort for the 
>> lambdas but not much.
>>
>> The openapi 3 spec is as follows:
>>
>>   securitySchemes:
>> OAuthSecurity:
>>   type: oauth2
>>   x-tokenInfoUrl: .../oauth2.0/profile
>>   flows:
>> authorizationCode:
>>   authorizationUrl: .../oauth2.0/authorize
>>   tokenUrl: .../oauth2.0/accessToken
>>   scopes:
>> myscope: Access all areas
>>
>>
>> On Tuesday, 12 March 2019 16:08:34 UTC, Trenton D. Adams wrote: 
>>>
>>> Do you know if this is a client side library only Ian?
>>> On 3/12/19 2:54 AM, Ian Wright wrote:
>>>
>>> Short answer is yes.
>>>
>>> I'm currently using 
>>> "angular-oauth2-oidc": "^4.0.3",
>>> with CAS 5.3.7
>>> I'm using oauth rather than oidc, mainly because I wanted to bypass the 
>>> approval prompt which, at least when I tried it, could be configured for 
>>> oauth but not oidc but IIRC oidc worked fine. 
>>>
>>> On Monday, 11 March 2019 18:03:54 UTC, maxwell_g wrote: 

 Has anyone been successful at setting up  “angular-oauth2-oidc” library 
 to interface with CAS? We are currently using version CAS 5.2.2 and would 
 like to authenticate Angular 7 applications using Oauth and OpenId 
 connect. 
 Would the “angular-oauth2-oidc” component be compatible or is there 
 alternative?

  

 Thanks Gary

 -- 
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/f38bc4f7-59e8-4441-acf5-af490c8adcfe%40apereo.org
>>>  
>>> 
>>> .
>>>
>>> -- 
>>> Trenton D. Adams
>>> Senior Systems Analyst/Web Software Developer
>>> Applications Unit - ITS
>>> Athabasca University
>>> (780) 675-6195
>>>
>>> It is only when you are surrounded by a supportive team, that you can 
>>> achieve 
>>> your best.  Instead of tearing people down, try building them up!
>>>
>>> -- 
>>>
>>> This communication is intended for the use of the recipient to whom it 
>>> is addressed, and may contain confidential, personal, and or privileged 
>>> information. Please contact us immediately if you are not the intended 
>>> recipient of this communication, and do not copy, distribute, or take 
>>> action relying on it. Any communications received in error, or subsequent 
>>> reply, should be deleted or destroyed. 
>>>
>>> ---
>>>
>> -- 
>> Trenton D. Adams
>> Senior Systems Analyst/Web Software Developer
>> Applications Unit - ITS
>>