Re: [cas-user] Account get locked in first failed login attempt

[Vikash Chandra Ansh]

Hi Daniel,

I am unable to attach the screenshot as m using client VDI.

Can u please tell me what all inputs you required so that I can send it
here.

Thanks & Regards

On Thu 21 May, 2020, 04:35 Daniel Fisher,  wrote:

> On Wed, May 20, 2020 at 4:06 PM Vikash Chandra Ansh <
> vikasharnav0...@gmail.com> wrote:
>
>> Hi Ray,
>>
>> I am asking a different concept. I am looking for a concept of passivator
>> where connection pool gets blocked after a failed login attempt. If we use
>> more than one ldap. During unsuccessful login ,bind will happen on both
>> simultaneously which will result to account lock.
>>
>
> Can you post the CAS logs that show simultaneous binds?
>
> --Daniel Fisher
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFC6YwRsz4J9d7O84pD%3DNFb1kgBH1AOK25LiUOY7pkTg_rcENQ%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BdrvxhKp5mFGurovngfk8yUFMJtkmX%3Dqyki8ORo1jNFiXZmEw%40mail.gmail.com.

Re: [cas-user] Passvators and Connection Strategy 6.1.6

[Vikash Chandra Ansh]

Hi Daniel and Erik,

I am looking for the same concept. Guide to me how to break the connection
pool after a fail login attempt so that request doest go to other one
causing account locked issues.

Thanks and regards

On Mon 18 May, 2020, 21:52 'Mallory, Erik' via CAS Community, <
cas-user@apereo.org> wrote:

> Hello,
> Currently we are running CAS 6.1.6 and we have a problem when we reboot
> a domain controller. It would appear that the ldap connection is not
> failing to the second DC in the list causing logins to fail. We have
> four of DCs. CAS is configured to use all 4 with a connection strategy
> of ACTIVE_PASSIVE and passivators are set to none.
>
> Could someone confirm and explain the relationship (if any) of
> passivators to to the connection strategy configuration options?
> Thanks,
> --
> Erik Mallory
> Server Analyst
> Wichita State University
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/f0da2a0e706e758099f0ceade3eb141e42273d23.camel%40wichita.edu
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BdrvxgU_4-%3DYimUsCuAyqbGvLEKda2LTQfjSP07vm--fsKvkQ%40mail.gmail.com.

[cas-user] Default security loopholes!

[Root]

Hi All,

As we know the default CAS comes with "casuser" and "Mellon" credentials, 
although it can be removed in build, I just want to summarize if there are 
any other default security settings like these that needs to be taken care 
of?, as the CAS documentation is very scattered!, it would be good if we 
can summarize the default loopholes here.

Also I use these below dependencies, and if anyone come across such 
loopholes let us know.

compile 
"org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}"
compile 
"org.apereo.cas:cas-server-support-jdbc:${project.'cas.version'}"
compile 
"org.apereo.cas:cas-server-support-saml:${project.'cas.version'}"
compile 
"org.apereo.cas:cas-server-support-pm-webflow:${project.'cas.version'}"
compile 
"org.apereo.cas:cas-server-webapp-config-server:${project.'cas.version'}"
compile 
"org.apereo.cas:cas-server-support-pm-ldap:${project.'cas.version'}"
compile 
"org.apereo.cas:cas-server-support-captcha:${project.'cas.version'}"


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3d378f4b-9bd1-4a53-ad0b-ec2474838452%40apereo.org.

Re: [cas-user] Account get locked in first failed login attempt

[Daniel Fisher]

On Wed, May 20, 2020 at 4:06 PM Vikash Chandra Ansh <
vikasharnav0...@gmail.com> wrote:

> Hi Ray,
>
> I am asking a different concept. I am looking for a concept of passivator
> where connection pool gets blocked after a failed login attempt. If we use
> more than one ldap. During unsuccessful login ,bind will happen on both
> simultaneously which will result to account lock.
>

Can you post the CAS logs that show simultaneous binds?

--Daniel Fisher

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFC6YwRsz4J9d7O84pD%3DNFb1kgBH1AOK25LiUOY7pkTg_rcENQ%40mail.gmail.com.

Re: [cas-user] Account get locked in first failed login attempt

[Vikash Chandra Ansh]

Hi Ray,

I am asking a different concept. I am looking for a concept of passivator
where connection pool gets blocked after a failed login attempt. If we use
more than one ldap. During unsuccessful login ,bind will happen on both
simultaneously which will result to account lock.
I have tried using the property poolpassivator=BIND if I m using ldap type
as AUTHENTICATED.

Still account get locked after 2 unsuccessful login attempt


Thanks and regards.

On Wed, May 20, 2020 at 10:54 PM Ray Bon  wrote:

> Vikash,
>
> Cas log in throttling is handled by these (and related settings), not ldap
> settings:
>
> # Authentication Throttling
> #
> https://apereo.github.io/cas/5.1.x/installation/Configuration-Properties.html#authentication-throttling
> # default is by ip address only
> # enable following to use user name and ipaddress
> # cas.authn.throttle.usernameParameter=username
> # this is a rate of failed attempts: threshold / rangeSeconds
> cas.authn.throttle.failure.threshold=1
> cas.authn.throttle.failure.rangeSeconds=3
>
> In your log file, check what happens between cas and ldap:
>
>  includeLocation="true" />
>
> Ray
>
>
> On Wed, 2020-05-20 at 19:19 +0530, Vikash Chandra Ansh wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
> I have tried all the possible ways.. But could not find the conclusion..
> I have used below properties.
>
> #${configurationKey}.ldapUrl=ldaps://
>
> ldap1.example.edu
>
>  ldaps://
>
> ldap2.example.edu
>
>  ldaps://ldap
>
> 3
>
> .
>
> example.edu
>
>  ldaps://ldap
>
> 4
>
> .
>
> example.edu
>
>
> #${configurationKey}.bindDn=cn=Directory Manager,dc=example,dc=org
>
> #${configurationKey}.bindCredential=Password
>
>
> #${configurationKey}.poolPassivator=BIND
>
> #${configurationKey}.connectionStrategy=
>
> #${configurationKey}.providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
>
> #${configurationKey}.connectTimeout=PT5S
>
>
> #${configurationKey}.minPoolSize=3
>
> #${configurationKey}.maxPoolSize=10
>
> #${configurationKey}.validateOnCheckout=true
>
> #${configurationKey}.validatePeriodically=true
>
> #${configurationKey}.validatePeriod=PT5M
>
> #${configurationKey}.validateTimeout=PT5S
>
> #${configurationKey}.failFast=true
>
> #${configurationKey}.idleTime=PT10M
>
> #${configurationKey}.prunePeriod=PT2H
>
> #${configurationKey}.blockWaitTime=PT3S
>
> #${configurationKey}.useSsl=true
>
> #${configurationKey}.useStartTls=false
>
> #${configurationKey}.responseTimeout=PT5S
>
> #${configurationKey}.allowMultipleDns=false
>
> #${configurationKey}.allowMultipleEntries=false
>
> #${configurationKey}.followReferrals=false
>
> #${configurationKey}.binaryAttributes=objectGUID,someOtherAttribute
>
>
> Kindly guide me what to do.
> Thanks and regards
>
> On Wed 13 May, 2020, 23:16 Ray Bon,  wrote:
>
> Vikash,
>
> See
> https://apereo.github.io/cas/6.1.x/installation/Configuring-Authentication-Throttling.html
> Also check you ldap settings/logs to see if the issue is there.
>
> Ray
>
> On Wed, 2020-05-13 at 16:15 +0530, Vikash Chandra Ansh wrote:
>
> Hi all,
>
> I am getting an unusual behaviour. Currently I am using four ldaps for
> authentication. If suppose a user has entered wrong credentials at
> once,account is locked.
> Kindly help me to resolve this.
>
> I have added authentication type as authenticated.
>
>
> --
>
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c0a72976877ab465b2668c242229f6d806733132.camel%40uvic.ca
> 
> .
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "C

Re: [cas-user] RE: Choosing the right version

[Ray Bon]

There have been a number of config changes between versions 5 and 6. You will 
have to account for those in your upgrade.

Since this software is a gatekeeper to your applications, it is wise to run the 
most recent version.

Ray

On Wed, 2020-05-20 at 14:07 +0200, spfma.t...@e.mail.fr wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Thanks for your reply.

And what about backward compatibility ?

Of course there is a link between OS distributions, Java versions, CAS and 
building tools and if I can avoid using totally out of phase Java versions, I 
would be more than happy !

But is it safe to replace an old CAS version by a more recent one (after having 
modified the new templates and configuration files of course) ?

De : Root 
Envoyé : mercredi 20 mai 2020 12:49
À : CAS Community 
Cc : spfma.t...@e.mail.fr
Objet : Re: Choosing the right version


Hi,
Yes its better to install latest stable version, you can find the latest 
releases here  https://github.com/apereo/cas/releases , as of now V6.1.6 would 
be good for you.
just avoid  -RC versions.






On Wednesday, May 20, 2020 at 1:12:00 PM UTC+5:30, 
spfm...@e.mail.fr wrote:
Hi,
We are currently running CAS 5.1.9 on an old hardware which needs to be 
replaced.
Is it a good thing to use the latest version available, maybe to be more 
“futureproof”, or should I install the same.
By the way, how can I know which version is the latest stable ?
Regards

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ Nations.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/74a81209ce5bafc57d686cb6024a3bae927f850a.camel%40uvic.ca.

Re: [cas-user] Account get locked in first failed login attempt

[Ray Bon]

Vikash,

Cas log in throttling is handled by these (and related settings), not ldap 
settings:

# Authentication Throttling
# 
https://apereo.github.io/cas/5.1.x/installation/Configuration-Properties.html#authentication-throttling
# default is by ip address only
# enable following to use user name and ipaddress
# cas.authn.throttle.usernameParameter=username
# this is a rate of failed attempts: threshold / rangeSeconds
cas.authn.throttle.failure.threshold=1
cas.authn.throttle.failure.rangeSeconds=3

In your log file, check what happens between cas and ldap:



Ray


On Wed, 2020-05-20 at 19:19 +0530, Vikash Chandra Ansh wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

I have tried all the possible ways.. But could not find the conclusion..
I have used below properties.


#${configurationKey}.ldapUrl=ldaps://



ldap1.example.edu



ldaps://



ldap2.example.edu



ldaps://ldap

3

.



example.edu



ldaps://ldap

4

.



example.edu


#${configurationKey}.bindDn=cn=Directory Manager,dc=example,dc=org

#${configurationKey}.bindCredential=Password


#${configurationKey}.poolPassivator=BIND

#${configurationKey}.connectionStrategy=

#${configurationKey}.providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider

#${configurationKey}.connectTimeout=PT5S


#${configurationKey}.minPoolSize=3

#${configurationKey}.maxPoolSize=10

#${configurationKey}.validateOnCheckout=true

#${configurationKey}.validatePeriodically=true

#${configurationKey}.validatePeriod=PT5M

#${configurationKey}.validateTimeout=PT5S

#${configurationKey}.failFast=true

#${configurationKey}.idleTime=PT10M

#${configurationKey}.prunePeriod=PT2H

#${configurationKey}.blockWaitTime=PT3S

#${configurationKey}.useSsl=true

#${configurationKey}.useStartTls=false

#${configurationKey}.responseTimeout=PT5S

#${configurationKey}.allowMultipleDns=false

#${configurationKey}.allowMultipleEntries=false

#${configurationKey}.followReferrals=false

#${configurationKey}.binaryAttributes=objectGUID,someOtherAttribute

Kindly guide me what to do.
Thanks and regards

On Wed 13 May, 2020, 23:16 Ray Bon, mailto:r...@uvic.ca>> wrote:
Vikash,

See 
https://apereo.github.io/cas/6.1.x/installation/Configuring-Authentication-Throttling.html
Also check you ldap settings/logs to see if the issue is there.

Ray

On Wed, 2020-05-13 at 16:15 +0530, Vikash Chandra Ansh wrote:
Hi all,

I am getting an unusual behaviour. Currently I am using four ldaps for 
authentication. If suppose a user has entered wrong credentials at once,account 
is locked.
Kindly help me to resolve this.

I have added authentication type as authenticated.



--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ Nations.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c0a72976877ab465b2668c242229f6d806733132.camel%40uvic.ca.


--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ Nations.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0c2cc4b7c4a8bc1e5e2b43935db102c1d993315c.camel%40uvic.ca.

Re: [cas-user] Re: CAS OIDC 403 forbidden

[Charl Thiem]

Hi Jérôme

I've tried that too. Still no luck with CAS 6.1, 6.0 works fine

Regards / Groete
*Charl Thiem*
Senior Developer | +07 (0) 21 970 4000 | i...@opencollab.co.za |
www.opencollab.co.za | @opencollab



On Wed, May 20, 2020 at 3:55 PM Jérôme Steve  wrote:

> Hi charl,
>
> You try to add the scopes in your service configuration ? like this :
>
> "scopes" : [ "java.util.HashSet", [ "openid"] ]
>
>
>
> Le mer. 20 mai 2020 à 12:35, Charl Thiem  a
> écrit :
>
>> Hi there
>>
>> I tried that too with no luck. I think there is a bug in spring's pac4j
>> or pac4j itself. I had some places in my debugger stack trace where I could
>> see it never passes a check that is expected to pass... Just my guess I'm
>> no pac4j expert :D
>>
>> I downgraded to 6.0.7 instead of 6.1.6 and it now works as expected with
>> the same configuration - for what that info is worth...
>>
>>
>> Regards / Groete
>> *Charl Thiem*
>> Senior Developer | +07 (0) 21 970 4000 | i...@opencollab.co.za |
>> www.opencollab.co.za | @opencollab
>>
>>
>>
>> On Wed, May 20, 2020 at 12:00 PM Gandhi 
>> wrote:
>>
>>> Hi, Can you try passing client_id and client_secret as params rather
>>> than Basic Auth?
>>>
>>> On Tuesday, May 19, 2020 at 3:14:01 PM UTC+5:30, Charl Thiem wrote:

 Hi

 I need some help with OpenID Connect setup.
 I have my cas 6.1  instance configured with OIDC. I can authenticate my
 user with


 https://demo.domain.co.za/cas/oidc/authorize?response_type=code&scope=openid&client_id=client&redirect_uri=https%3A%2F%2Fthe-redirect

 Which then returns the "code"
 https://the-redirect-uri/?*code=OC-3-Er9FLXhPgI7MLBoqfo0-SC1DRMgezkh6*

 Then when trying to to get an authorization_code from it i get a 403

 curl --location --request POST '
 https://demo.domain.co.za/cas/oidc/token' \
 --header 'Authorization: Basic Y2xpZW50OnNlY3JldA==' \
 --header 'Content-Type: application/x-www-form-urlencoded' \
 --data-urlencode 'code=OC-1-9RHILYUUElF6YCOeWqSnK0BxuK8l1-bf' \
 --data-urlencode 'grant_type=authorization_code' \
 --data-urlencode 'redirect_uri=https://the-redirect-uri'

 {"timestamp":"2020-05-19T09:33:21.868+","status":403,"error":"Forbidden","message":"No
 message available","path":"/cas/oidc/token"}

 (The Authorization header does seem to work. I have the clientId and
 client Secret in there. And if I change it I get a 401)

 I do not have any additional settings for OIDC in cas config, and I
 have json service definition with the following
 {
   "@class" : "org.apereo.cas.services.OidcRegisteredService",
   "clientId": "client",
   "clientSecret": "secret",
   "serviceId" : "https://the-redirect-uri";,
   "name": "OIDC Test",
   "id": 60,
   "supportedResponseTypes":  [ "java.util.HashSet", [ "code" ] ],
   "supportedGrantTypes":  [ "java.util.HashSet", [ "authorization_code"
 ] ],
 }

 Any ideas what the issue with the 403 could be?


 I'm running in debug mode and also couldn't find any useful logging..
 This is the output during the request for the authorization_code.

 2020-05-19 11:38:52,750 DEBUG
 [org.apereo.cas.support.oauth.web.endpoints.OAuth20AuthorizeEndpointController]
 - >>> scopes [[openid]] for client id [client]>
 2020-05-19 11:38:52,751 DEBUG
 [org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationCodeAuthorizationResponseBuilder]
 - 
 2020-05-19 11:38:52,758 DEBUG
 [org.apereo.cas.ticket.registry.JpaTicketRegistry] - >>> [OC-1-ZUSkKuijTf-JvqqPijjsEaMrVxRSRPGb] to registry.>
 2020-05-19 11:38:52,783 DEBUG
 [org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationCodeAuthorizationResponseBuilder]
 - >>> https://the-redirect-uri]>
 2020-05-19 11:38:52,783 DEBUG
 [org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationCodeAuthorizationResponseBuilder]
 - >>> https://the-redirect-uri?code=OC-1-ZUSkKuijTf-JvqqPijjsEaMrVxRSRPGb&state=af0ifjsldkj
 ]>
 2020-05-19 11:38:52,786 DEBUG
 [org.apereo.cas.support.oauth.util.OAuth20Utils] - >>> [NONE]>
 2020-05-19 11:39:06,232 DEBUG
 [org.apereo.cas.support.oauth.authenticator.OAuth20ClientIdClientSecretAuthenticator]
 - >>> client | password: [PROTECTED] |]>
 2020-05-19 11:39:06,232 DEBUG
 [org.apereo.cas.support.oauth.authenticator.OAuth20ClientIdClientSecretAuthenticator]
 - 
 2020-05-19 11:39:06,245 INFO
 [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - >>> trail record BEGIN
 =
 WHO: audit:unknown
 WHAT: [result=Service Access Granted,service=https://the-redirect-uri
 ,requiredAttributes={}]
 ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
 APPLICATION: CAS
 WHEN: Tue May 19 11:39:06 SAST 2020
 CLIENT IP ADDRESS: 172.18.0.1
>>

Re: [cas-user] Re: CAS OIDC 403 forbidden

[Jérôme Steve]

Hi charl,

You try to add the scopes in your service configuration ? like this :

"scopes" : [ "java.util.HashSet", [ "openid"] ]



Le mer. 20 mai 2020 à 12:35, Charl Thiem  a écrit :

> Hi there
>
> I tried that too with no luck. I think there is a bug in spring's pac4j or
> pac4j itself. I had some places in my debugger stack trace where I could
> see it never passes a check that is expected to pass... Just my guess I'm
> no pac4j expert :D
>
> I downgraded to 6.0.7 instead of 6.1.6 and it now works as expected with
> the same configuration - for what that info is worth...
>
>
> Regards / Groete
> *Charl Thiem*
> Senior Developer | +07 (0) 21 970 4000 | i...@opencollab.co.za |
> www.opencollab.co.za | @opencollab
>
>
>
> On Wed, May 20, 2020 at 12:00 PM Gandhi  wrote:
>
>> Hi, Can you try passing client_id and client_secret as params rather than
>> Basic Auth?
>>
>> On Tuesday, May 19, 2020 at 3:14:01 PM UTC+5:30, Charl Thiem wrote:
>>>
>>> Hi
>>>
>>> I need some help with OpenID Connect setup.
>>> I have my cas 6.1  instance configured with OIDC. I can authenticate my
>>> user with
>>>
>>>
>>> https://demo.domain.co.za/cas/oidc/authorize?response_type=code&scope=openid&client_id=client&redirect_uri=https%3A%2F%2Fthe-redirect
>>>
>>> Which then returns the "code"
>>> https://the-redirect-uri/?*code=OC-3-Er9FLXhPgI7MLBoqfo0-SC1DRMgezkh6*
>>>
>>> Then when trying to to get an authorization_code from it i get a 403
>>>
>>> curl --location --request POST 'https://demo.domain.co.za/cas/oidc/token'
>>> \
>>> --header 'Authorization: Basic Y2xpZW50OnNlY3JldA==' \
>>> --header 'Content-Type: application/x-www-form-urlencoded' \
>>> --data-urlencode 'code=OC-1-9RHILYUUElF6YCOeWqSnK0BxuK8l1-bf' \
>>> --data-urlencode 'grant_type=authorization_code' \
>>> --data-urlencode 'redirect_uri=https://the-redirect-uri'
>>>
>>> {"timestamp":"2020-05-19T09:33:21.868+","status":403,"error":"Forbidden","message":"No
>>> message available","path":"/cas/oidc/token"}
>>>
>>> (The Authorization header does seem to work. I have the clientId and
>>> client Secret in there. And if I change it I get a 401)
>>>
>>> I do not have any additional settings for OIDC in cas config, and I have
>>> json service definition with the following
>>> {
>>>   "@class" : "org.apereo.cas.services.OidcRegisteredService",
>>>   "clientId": "client",
>>>   "clientSecret": "secret",
>>>   "serviceId" : "https://the-redirect-uri";,
>>>   "name": "OIDC Test",
>>>   "id": 60,
>>>   "supportedResponseTypes":  [ "java.util.HashSet", [ "code" ] ],
>>>   "supportedGrantTypes":  [ "java.util.HashSet", [ "authorization_code"
>>> ] ],
>>> }
>>>
>>> Any ideas what the issue with the 403 could be?
>>>
>>>
>>> I'm running in debug mode and also couldn't find any useful logging..
>>> This is the output during the request for the authorization_code.
>>>
>>> 2020-05-19 11:38:52,750 DEBUG
>>> [org.apereo.cas.support.oauth.web.endpoints.OAuth20AuthorizeEndpointController]
>>> - >> scopes [[openid]] for client id [client]>
>>> 2020-05-19 11:38:52,751 DEBUG
>>> [org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationCodeAuthorizationResponseBuilder]
>>> - 
>>> 2020-05-19 11:38:52,758 DEBUG
>>> [org.apereo.cas.ticket.registry.JpaTicketRegistry] - >> [OC-1-ZUSkKuijTf-JvqqPijjsEaMrVxRSRPGb] to registry.>
>>> 2020-05-19 11:38:52,783 DEBUG
>>> [org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationCodeAuthorizationResponseBuilder]
>>> - >> https://the-redirect-uri]>
>>> 2020-05-19 11:38:52,783 DEBUG
>>> [org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationCodeAuthorizationResponseBuilder]
>>> - >> https://the-redirect-uri?code=OC-1-ZUSkKuijTf-JvqqPijjsEaMrVxRSRPGb&state=af0ifjsldkj
>>> ]>
>>> 2020-05-19 11:38:52,786 DEBUG
>>> [org.apereo.cas.support.oauth.util.OAuth20Utils] - >> [NONE]>
>>> 2020-05-19 11:39:06,232 DEBUG
>>> [org.apereo.cas.support.oauth.authenticator.OAuth20ClientIdClientSecretAuthenticator]
>>> - >> client | password: [PROTECTED] |]>
>>> 2020-05-19 11:39:06,232 DEBUG
>>> [org.apereo.cas.support.oauth.authenticator.OAuth20ClientIdClientSecretAuthenticator]
>>> - 
>>> 2020-05-19 11:39:06,245 INFO
>>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - >> trail record BEGIN
>>> =
>>> WHO: audit:unknown
>>> WHAT: [result=Service Access Granted,service=https://the-redirect-uri
>>> ,requiredAttributes={}]
>>> ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
>>> APPLICATION: CAS
>>> WHEN: Tue May 19 11:39:06 SAST 2020
>>> CLIENT IP ADDRESS: 172.18.0.1
>>> SERVER IP ADDRESS: 192.168.1.111
>>> =
>>>
>>> >
>>> 2020-05-19 11:39:06,245 DEBUG
>>> [org.apereo.cas.support.oauth.util.OAuth20Utils] - >> [OidcRegisteredService(super=OAuthRegisteredService(super=AbstractRegisteredService(serviceId=
>>> https://the-redirect-uri, name=OIDC Test, theme=null,
>>> informationUrl=null, privacyUrl=null,

Re: [cas-user] Account get locked in first failed login attempt

[Vikash Chandra Ansh]

I have tried all the possible ways.. But could not find the conclusion..
I have used below properties.

#${configurationKey}.ldapUrl=ldaps://ldap1.example.edu
ldaps://ldap2.example.edu ldaps://ldap3.example.edu
ldaps://ldap4.example.edu

#${configurationKey}.bindDn=cn=Directory Manager,dc=example,dc=org
#${configurationKey}.bindCredential=Password#${configurationKey}.poolPassivator=BIND
#${configurationKey}.connectionStrategy=
#${configurationKey}.providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
#${configurationKey}.connectTimeout=PT5S

#${configurationKey}.minPoolSize=3
#${configurationKey}.maxPoolSize=10
#${configurationKey}.validateOnCheckout=true
#${configurationKey}.validatePeriodically=true
#${configurationKey}.validatePeriod=PT5M
#${configurationKey}.validateTimeout=PT5S
#${configurationKey}.failFast=true
#${configurationKey}.idleTime=PT10M
#${configurationKey}.prunePeriod=PT2H
#${configurationKey}.blockWaitTime=PT3S
#${configurationKey}.useSsl=true
#${configurationKey}.useStartTls=false
#${configurationKey}.responseTimeout=PT5S
#${configurationKey}.allowMultipleDns=false
#${configurationKey}.allowMultipleEntries=false
#${configurationKey}.followReferrals=false
#${configurationKey}.binaryAttributes=objectGUID,someOtherAttribute


Kindly guide me what to do.
Thanks and regards

On Wed 13 May, 2020, 23:16 Ray Bon,  wrote:

> Vikash,
>
> See
> https://apereo.github.io/cas/6.1.x/installation/Configuring-Authentication-Throttling.html
> Also check you ldap settings/logs to see if the issue is there.
>
> Ray
>
> On Wed, 2020-05-13 at 16:15 +0530, Vikash Chandra Ansh wrote:
>
> Hi all,
>
> I am getting an unusual behaviour. Currently I am using four ldaps for
> authentication. If suppose a user has entered wrong credentials at
> once,account is locked.
> Kindly help me to resolve this.
>
> I have added authentication type as authenticated.
>
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c0a72976877ab465b2668c242229f6d806733132.camel%40uvic.ca
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BdrvxhJMZzGY8X4Wa2Eo9zZ02uARyB-i_xmd%2B55HuEyctxdeA%40mail.gmail.com.

[cas-user] RE: Choosing the right version

[spfma.tech]

Thanks for your reply.

 

And what about backward compatibility ?

 

Of course there is a link between OS distributions, Java versions, CAS and 
building tools and if I can avoid using totally out of phase Java versions, I 
would be more than happy !

 

But is it safe to replace an old CAS version by a more recent one (after having 
modified the new templates and configuration files of course) ?

 

De : Root  
Envoyé : mercredi 20 mai 2020 12:49
À : CAS Community 
Cc : spfma.t...@e.mail.fr
Objet : Re: Choosing the right version

 

 

Hi,

Yes its better to install latest stable version, you can find the latest 
releases here  https://github.com/apereo/cas/releases , as of now V6.1.6 would 
be good for you.

just avoid  -RC versions. 
 


 

 

 

 


On Wednesday, May 20, 2020 at 1:12:00 PM UTC+5:30, spfm...@e.mail.fr 
  wrote:

Hi,

We are currently running CAS 5.1.9 on an old hardware which needs to be 
replaced.

Is it a good thing to use the latest version available, maybe to be more 
“futureproof”, or should I install the same. 

By the way, how can I know which version is the latest stable ?

Regards  

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/02ac01d62e9f%243eb55fc0%24bc201f40%24%40e.mail.fr.

[cas-user] Re: Choosing the right version

[Root]

Hi,
Yes its better to install latest stable version, you can find the latest 
releases here  https://github.com/apereo/cas/releases , as of now V6.1.6 
would be good for you.
just avoid  -RC versions.






On Wednesday, May 20, 2020 at 1:12:00 PM UTC+5:30, spfm...@e.mail.fr wrote:
>
> Hi,
>
> We are currently running CAS 5.1.9 on an old hardware which needs to be 
> replaced.
>
> Is it a good thing to use the latest version available, maybe to be more 
> “futureproof”, or should I install the same. 
>
> By the way, how can I know which version is the latest stable ?
>
> Regards  
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5085dc63-7f4f-461f-99bf-36f3a97fa31a%40apereo.org.

Re: [cas-user] Re: CAS OIDC 403 forbidden

[Charl Thiem]

Hi there

I tried that too with no luck. I think there is a bug in spring's pac4j or
pac4j itself. I had some places in my debugger stack trace where I could
see it never passes a check that is expected to pass... Just my guess I'm
no pac4j expert :D

I downgraded to 6.0.7 instead of 6.1.6 and it now works as expected with
the same configuration - for what that info is worth...


Regards / Groete
*Charl Thiem*
Senior Developer | +07 (0) 21 970 4000 | i...@opencollab.co.za |
www.opencollab.co.za | @opencollab



On Wed, May 20, 2020 at 12:00 PM Gandhi  wrote:

> Hi, Can you try passing client_id and client_secret as params rather than
> Basic Auth?
>
> On Tuesday, May 19, 2020 at 3:14:01 PM UTC+5:30, Charl Thiem wrote:
>>
>> Hi
>>
>> I need some help with OpenID Connect setup.
>> I have my cas 6.1  instance configured with OIDC. I can authenticate my
>> user with
>>
>>
>> https://demo.domain.co.za/cas/oidc/authorize?response_type=code&scope=openid&client_id=client&redirect_uri=https%3A%2F%2Fthe-redirect
>>
>> Which then returns the "code"
>> https://the-redirect-uri/?*code=OC-3-Er9FLXhPgI7MLBoqfo0-SC1DRMgezkh6*
>>
>> Then when trying to to get an authorization_code from it i get a 403
>>
>> curl --location --request POST 'https://demo.domain.co.za/cas/oidc/token'
>> \
>> --header 'Authorization: Basic Y2xpZW50OnNlY3JldA==' \
>> --header 'Content-Type: application/x-www-form-urlencoded' \
>> --data-urlencode 'code=OC-1-9RHILYUUElF6YCOeWqSnK0BxuK8l1-bf' \
>> --data-urlencode 'grant_type=authorization_code' \
>> --data-urlencode 'redirect_uri=https://the-redirect-uri'
>>
>> {"timestamp":"2020-05-19T09:33:21.868+","status":403,"error":"Forbidden","message":"No
>> message available","path":"/cas/oidc/token"}
>>
>> (The Authorization header does seem to work. I have the clientId and
>> client Secret in there. And if I change it I get a 401)
>>
>> I do not have any additional settings for OIDC in cas config, and I have
>> json service definition with the following
>> {
>>   "@class" : "org.apereo.cas.services.OidcRegisteredService",
>>   "clientId": "client",
>>   "clientSecret": "secret",
>>   "serviceId" : "https://the-redirect-uri";,
>>   "name": "OIDC Test",
>>   "id": 60,
>>   "supportedResponseTypes":  [ "java.util.HashSet", [ "code" ] ],
>>   "supportedGrantTypes":  [ "java.util.HashSet", [ "authorization_code" ]
>> ],
>> }
>>
>> Any ideas what the issue with the 403 could be?
>>
>>
>> I'm running in debug mode and also couldn't find any useful logging..
>> This is the output during the request for the authorization_code.
>>
>> 2020-05-19 11:38:52,750 DEBUG
>> [org.apereo.cas.support.oauth.web.endpoints.OAuth20AuthorizeEndpointController]
>> - > scopes [[openid]] for client id [client]>
>> 2020-05-19 11:38:52,751 DEBUG
>> [org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationCodeAuthorizationResponseBuilder]
>> - 
>> 2020-05-19 11:38:52,758 DEBUG
>> [org.apereo.cas.ticket.registry.JpaTicketRegistry] - > [OC-1-ZUSkKuijTf-JvqqPijjsEaMrVxRSRPGb] to registry.>
>> 2020-05-19 11:38:52,783 DEBUG
>> [org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationCodeAuthorizationResponseBuilder]
>> - > https://the-redirect-uri]>
>> 2020-05-19 11:38:52,783 DEBUG
>> [org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationCodeAuthorizationResponseBuilder]
>> - > https://the-redirect-uri?code=OC-1-ZUSkKuijTf-JvqqPijjsEaMrVxRSRPGb&state=af0ifjsldkj
>> ]>
>> 2020-05-19 11:38:52,786 DEBUG
>> [org.apereo.cas.support.oauth.util.OAuth20Utils] - > [NONE]>
>> 2020-05-19 11:39:06,232 DEBUG
>> [org.apereo.cas.support.oauth.authenticator.OAuth20ClientIdClientSecretAuthenticator]
>> - > client | password: [PROTECTED] |]>
>> 2020-05-19 11:39:06,232 DEBUG
>> [org.apereo.cas.support.oauth.authenticator.OAuth20ClientIdClientSecretAuthenticator]
>> - 
>> 2020-05-19 11:39:06,245 INFO
>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - > trail record BEGIN
>> =
>> WHO: audit:unknown
>> WHAT: [result=Service Access Granted,service=https://the-redirect-uri
>> ,requiredAttributes={}]
>> ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
>> APPLICATION: CAS
>> WHEN: Tue May 19 11:39:06 SAST 2020
>> CLIENT IP ADDRESS: 172.18.0.1
>> SERVER IP ADDRESS: 192.168.1.111
>> =
>>
>> >
>> 2020-05-19 11:39:06,245 DEBUG
>> [org.apereo.cas.support.oauth.util.OAuth20Utils] - > [OidcRegisteredService(super=OAuthRegisteredService(super=AbstractRegisteredService(serviceId=
>> https://the-redirect-uri, name=OIDC Test, theme=null,
>> informationUrl=null, privacyUrl=null, responseType=null, id=60,
>> description=null,
>> expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false,
>> notifyWhenDeleted=false, notifyWhenExpired=false, expirationDate=null),
>> proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1,
>> proxyTicketExpirationPolicy=nul

Re: FW: [cas-user] Cas server not working with http

[Gandhi]

Hi, Can you check the TGT cookie and check whether '*secure*' attribute is 
true / false? If true, this cookie will not be sent with http requests.

On Wednesday, May 20, 2020 at 1:22:46 AM UTC+5:30, rbon wrote:
>
> Suhas,
>
> If it works with https, why do you want to enable the insecure htttp?
>
> Turn your logs up to debug and see why CAS is not processing app2 SSO.
>
> Ray
>
> On Mon, 2020-05-18 at 10:17 +0530, 'Suhas Bansude' via CAS Community wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information. 
>
> Hello Sir,
>
>  
>
> Not able to solve problem. Verified all settings
>
> Please check attached cas properties file I am using.
>
>  
>
> For client in am using spring boot and cas client(Spring boot settings).
>
> Please check below settings  client settings
>
>  
>
> App-1
>
> *cas.server-url-prefix*=http://localhost:8082/cas
>
> *cas.server-login-url*=http://localhost:8082/cas/login
>
> *cas.client-host-url*=http://localhost:8080
>
> *cas.validation-type*=CAS3
>
> *cas.redirect-after-validation* =true
>
> *cas.use-session*=false
>
> cas.authentication-url-patterns=/common/home
>
>  
>
>  
>
> App2-
>
> cas.server-url-prefix=http://localhost:8082/cas
>
> cas.server-login-url=http://localhost:8082/cas/login
>
> cas.client-host-url=http://localhost:8081
>
> cas.validation-type=CAS3
>
> cas.redirect-after-validation =true
>
> cas.use-session=false
>
> cas.authentication-url-patterns=/common/home
>
>  
>
>  
>
> *From:* cas-...@apereo.org  [mailto:cas-...@apereo.org 
> ] *On Behalf Of *Root
> *Sent:* 16 May 2020 11:23 AM
> *To:* CAS Community
> *Subject:* Re: FW: [cas-user] Cas server not working with http
>
>  
>
>  
>
> Suhas,
>
>  
>
> Does your App1 and App2 have identical settings?, check in App2 settings  
> whether any HTTPS is enforced!, also check the App2 log if any and you can 
> also monitor the cas log while authenticating in App2, see what error you 
> get.
>
>  
>
>  
>
>
> On Wednesday, May 13, 2020 at 11:15:48 AM UTC+5:30, Suhas Bansude wrote:
>
> Hi..
>
>  
>
> Please help me with this issue
>
>  
>
> I have 2  sites /App1 and /App2. CAS was working without SSL in that it 
> would take App1 to the login site and authenticate correctly. The issue was 
> if you tried to access via another site(App2), it would ask you to sign in 
> again.
>
> Once I enabled SSL and tried it, it was working correctly. Once logged 
> into client App1, it would automatically authenticate you in client App2.
>
>  
>
> Thanks
>
> Suhas Bansude
>
>  
>
> *From:* Suhas Bansude [mailto:suh...@mkcl.org] 
> *Sent:* 12 May 2020 11:04 AM
> *To:* 'cas-...@apereo.org'
> *Subject:* RE: [cas-user] Cas server not working with http
>
>  
>
> Yes already set this property  
>
> successfully disabled https with property (server.ssl.enabled=false)
>
>  
>
> My issue is
>
>  
>
> I have 2  sites /App1 and /App2. CAS was working without SSL in that it 
> would take App1 to the login site and authenticate correctly. The issue was 
> if you tried to access via another site(App2), it would ask you to sign in 
> again.
>
> Once I enabled SSL and tried it, it was working correctly. Once logged 
> into client App1, it would automatically authenticate you in client App2.
>
>  
>
> *From:* cas-...@apereo.org [mailto:cas-...@apereo.org] *On Behalf Of *Nguyen 
> Tran Thanh Lam
> *Sent:* 12 May 2020 10:25 AM
> *To:* cas-...@apereo.org
> *Subject:* Re: [cas-user] Cas server not working with http
>
>  
>
> Hi,
>
> Have you set this property to false?
>
> [image: image.png]
>
> BRs
>
>  
>
> Vào Th 3, 12 thg 5, 2020 vào lúc 11:37 'Suhas Bansude' via CAS Community 
>  đã viết:
>
> Hello Sir,
>
>  
>
> I have 2 cas clients(Spring Boot) which are working on 
> App1(localhost:8080) and App1(localhost:8081) both are running on http 
> port. My cas server is configured on localhost:8082 also running on http 
> port.
>
>  
>
> My issue is when I authenticate App1 I am not able to access App2 without 
> authentication. This issue is for only http.
>
>  
>
> For https cas server working fine.
>
>  
>
> Thanks
>
> Suhas Bansude
>
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/4b1214ab1d9810002989f3184fa5ff6d%40mail.gmail.com
>  
> 
> .
>
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl

[cas-user] Re: CAS OIDC 403 forbidden

[Gandhi]

Hi, Can you try passing client_id and client_secret as params rather than 
Basic Auth?

On Tuesday, May 19, 2020 at 3:14:01 PM UTC+5:30, Charl Thiem wrote:
>
> Hi
>
> I need some help with OpenID Connect setup.
> I have my cas 6.1  instance configured with OIDC. I can authenticate my 
> user with
>
>
> https://demo.domain.co.za/cas/oidc/authorize?response_type=code&scope=openid&client_id=client&redirect_uri=https%3A%2F%2Fthe-redirect
>
> Which then returns the "code"
> https://the-redirect-uri/?*code=OC-3-Er9FLXhPgI7MLBoqfo0-SC1DRMgezkh6*
>
> Then when trying to to get an authorization_code from it i get a 403
>
> curl --location --request POST 'https://demo.domain.co.za/cas/oidc/token' 
> \
> --header 'Authorization: Basic Y2xpZW50OnNlY3JldA==' \
> --header 'Content-Type: application/x-www-form-urlencoded' \
> --data-urlencode 'code=OC-1-9RHILYUUElF6YCOeWqSnK0BxuK8l1-bf' \
> --data-urlencode 'grant_type=authorization_code' \
> --data-urlencode 'redirect_uri=https://the-redirect-uri'
>
> {"timestamp":"2020-05-19T09:33:21.868+","status":403,"error":"Forbidden","message":"No
>  
> message available","path":"/cas/oidc/token"}
>
> (The Authorization header does seem to work. I have the clientId and 
> client Secret in there. And if I change it I get a 401)
>
> I do not have any additional settings for OIDC in cas config, and I have 
> json service definition with the following
> {
>   "@class" : "org.apereo.cas.services.OidcRegisteredService",
>   "clientId": "client",
>   "clientSecret": "secret",
>   "serviceId" : "https://the-redirect-uri";,
>   "name": "OIDC Test",
>   "id": 60,
>   "supportedResponseTypes":  [ "java.util.HashSet", [ "code" ] ],
>   "supportedGrantTypes":  [ "java.util.HashSet", [ "authorization_code" ] 
> ],
> }
>
> Any ideas what the issue with the 403 could be? 
>
>
> I'm running in debug mode and also couldn't find any useful logging.. This 
> is the output during the request for the authorization_code.
>
> 2020-05-19 11:38:52,750 DEBUG 
> [org.apereo.cas.support.oauth.web.endpoints.OAuth20AuthorizeEndpointController]
>  
> -  scopes [[openid]] for client id [client]>
> 2020-05-19 11:38:52,751 DEBUG 
> [org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationCodeAuthorizationResponseBuilder]
>  
> - 
> 2020-05-19 11:38:52,758 DEBUG 
> [org.apereo.cas.ticket.registry.JpaTicketRegistry] -  [OC-1-ZUSkKuijTf-JvqqPijjsEaMrVxRSRPGb] to registry.>
> 2020-05-19 11:38:52,783 DEBUG 
> [org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationCodeAuthorizationResponseBuilder]
>  
> -  https://the-redirect-uri]>
> 2020-05-19 11:38:52,783 DEBUG 
> [org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationCodeAuthorizationResponseBuilder]
>  
> -  https://the-redirect-uri?code=OC-1-ZUSkKuijTf-JvqqPijjsEaMrVxRSRPGb&state=af0ifjsldkj
> ]>
> 2020-05-19 11:38:52,786 DEBUG 
> [org.apereo.cas.support.oauth.util.OAuth20Utils] -  [NONE]>
> 2020-05-19 11:39:06,232 DEBUG 
> [org.apereo.cas.support.oauth.authenticator.OAuth20ClientIdClientSecretAuthenticator]
>  
> -  client | password: [PROTECTED] |]>
> 2020-05-19 11:39:06,232 DEBUG 
> [org.apereo.cas.support.oauth.authenticator.OAuth20ClientIdClientSecretAuthenticator]
>  
> - 
> 2020-05-19 11:39:06,245 INFO 
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -  trail record BEGIN
> =
> WHO: audit:unknown
> WHAT: [result=Service Access Granted,service=https://the-redirect-uri
> ,requiredAttributes={}]
> ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
> APPLICATION: CAS
> WHEN: Tue May 19 11:39:06 SAST 2020
> CLIENT IP ADDRESS: 172.18.0.1
> SERVER IP ADDRESS: 192.168.1.111
> =
>
> >
> 2020-05-19 11:39:06,245 DEBUG 
> [org.apereo.cas.support.oauth.util.OAuth20Utils] -  [OidcRegisteredService(super=OAuthRegisteredService(super=AbstractRegisteredService(serviceId=
> https://the-redirect-uri, name=OIDC Test, theme=null, 
> informationUrl=null, privacyUrl=null, responseType=null, id=60, 
> description=null, 
> expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false,
>  
> notifyWhenDeleted=false, notifyWhenExpired=false, expirationDate=null), 
> proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, 
> proxyTicketExpirationPolicy=null, serviceTicketExpirationPolicy=null, 
> singleSignOnParticipationPolicy=null, evaluationOrder=0, 
> usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@87297e2,
>  
> logoutType=BACK_CHANNEL, requiredHandlers=[], environments=[], 
> attributeReleasePolicy=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
>  
> principalAttributesRepository=DefaultPrincipalAttributesRepository(), 
> consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true, 
> excludedAttributes=null, includeOnlyAttributes=null, order=0), 

[cas-user] Choosing the right version

[spfma.tech]

Hi,

We are currently running CAS 5.1.9 on an old hardware which needs to be
replaced.

Is it a good thing to use the latest version available, maybe to be more
"futureproof", or should I install the same. 

By the way, how can I know which version is the latest stable ?

Regards  

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/024b01d62e7a%2421bb0200%2465310600%24%40e.mail.fr.