[cas-user] Re: pac4j Google2Client auth delegation: How to unauthorize a profile?

2018-01-25 Thread Oscar del Pozo 
Hi Francis,

*Modify the webflow by adding a new 
> TransitionExecutingFlowExecutionExceptionHandler or adding a 
> new TransitionSet catching the error into *clientAction*.*


That's exactly what I have done right now and it's working. Thanks for your 
answer! 

El jueves, 25 de enero de 2018, 10:57:30 (UTC+1), Francis escribió:
>
> The error  'map[[empty]]'] comes from the fact that the webflow from pac4j 
> doesn't catch correctly the error sent by '
> *AbstractPac4jAuthenticationHandler'. *
>
> *From my point of view the solution would be to modify the webflow in 
> order to "accept" your exception and to redirect to a new action you have 
> defined.*
>
> *2 solutions, you can override 
> **org.apereo.cas.web.flow.Pac4jWebflowConfigurer 
> (faster) or extend the webflow via a new own configuration (nicer).*
> *Modify the webflow by adding a new 
> TransitionExecutingFlowExecutionExceptionHandler or adding a 
> new TransitionSet catching the error into *clientAction*.*
>
> *See some example 
> from org.apereo.cas.web.flow.configurer.DefaultWebflowConfigurer*
>
> *See as well https://github.com/apereo/cas/pull/3138 
>  that shows how the webflow can be 
> modify in the case of pac4j*
>
> On Tuesday, January 23, 2018 at 4:10:34 PM UTC+1, Oscar del Pozo wrote:
>>
>> Hi!
>>
>> I'm migrating from CAS 4.0.5 to 5.2.1 and everything has gone perfect but 
>> I'm facing a problem with the Google OAuth authentication.
>>
>> I have configured a delegate authentication to Google with pac4j 
>> successfully but I need to make a modification, only allow the emails which 
>> end with *@companyname.com  *(I do agree that 
>> this kind of things should not be done at CAS because this is about 
>> authorization and not authentication, but I have to)
>>
>> I have added a new AuthorizationGenerator to the Google2Client instance 
>> so, after the retrieve the user profile with the *Google2ProfileDefinition 
>> *class, I make my validation and in case that the user email is not a 
>> valid one, I set the profile identifier no blank. The blank 
>> identifier causes a *FailedLoginException *at 
>> *AbstractPac4jAuthenticationHandler.*
>>
>> Everything seems to work fine but finally, I get the following exception 
>> and the CAS error page is shown.
>>  
>>
>> 2018-01-23 15:58:48,581 DEBUG 
>>> [org.pac4j.oauth.profile.creator.OAuth20ProfileCreator] - >> access_token: ya29.Glx... to profile>
>>> 2018-01-23 15:58:48,581 DEBUG 
>>> [org.pac4j.oauth.profile.google2.Google2Profile] -  key: 
>>> access_token / value:XXX-XXX / class java.lang.String>
>>> 2018-01-23 15:58:48,581 DEBUG [org.pac4j.oauth.client.Google2Client] - 
>>> >> {name.familyName=del Pozo, 
>>> emails=[org.pac4j.oauth.profile.google2.Google2Email@64f6a901], 
>>> access_token=..., gender=MALE, displayName=Oscar del Pozo, 
>>> name.givenName=Oscar, ... |>
>>> 2018-01-23 15:58:49,599 WARN 
>>> [org.apereo.cas.support.pac4j.oauth.MyProfileAuthorizationGenerator] 
>>> - 
>>> 2018-01-23 15:58:49,599 DEBUG 
>>> [org.pac4j.oauth.profile.google2.Google2Profile] 
>>> - 
>>> 2018-01-23 15:58:51,789 ERROR 
>>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
>>> >> authentication handler that supports 
>>> [org.apereo.cas.authentication.principal.ClientCredential@2f8fc6b0[id=]]
>>>  
>>> of type [ClientCredential].>
>>> 2018-01-23 15:58:53,216 INFO 
>>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - >> trail record BEGIN
>>> =
>>> WHO: null
>>> WHAT: Supplied credentials: 
>>> [org.apereo.cas.authentication.principal.ClientCredential@2f8fc6b0[id=]]
>>> ACTION: AUTHENTICATION_SUCCESS   (This is a reported bug, the 
>>> authentication has actually failed: 
>>> https://github.com/apereo/inspektr/pull/10)
>>> APPLICATION: CAS
>>> WHEN: Tue Jan 23 15:58:53 CET 2018
>>> CLIENT IP ADDRESS: 192.168.56.1
>>> SERVER IP ADDRESS: 192.168.56.1
>>> =
>>> >
>>> 2018-01-23 15:58:53,247 ERROR 
>>> [org.springframework.boot.web.support.ErrorPageFilter] - >> error page from request [/login] due to exception [Exception thrown 
>>> executing 
>>> org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction@848f27e
>>>  
>>> in state 'clientAction' of flow 'login' -- action execution attributes were 
>>> 'map[[empty]]']>
>>
>> at 
>>> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:60)
>>>  
>>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>>> at 
>>> org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)
>>>  
>>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>>> at 
>>> org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
>>>  
>>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] 
>>> [...]
>>> Caused by:

[cas-user] Re: pac4j Google2Client auth delegation: How to unauthorize a profile?

2018-01-25 Thread Francis 
The error  'map[[empty]]'] comes from the fact that the webflow from pac4j 
doesn't catch correctly the error sent by '
*AbstractPac4jAuthenticationHandler'. *

*From my point of view the solution would be to modify the webflow in order 
to "accept" your exception and to redirect to a new action you have 
defined.*

*2 solutions, you can override **org.apereo.cas.web.flow.Pac4jWebflowConfigurer 
(faster) or extend the webflow via a new own configuration (nicer).*
*Modify the webflow by adding a new 
TransitionExecutingFlowExecutionExceptionHandler or adding a 
new TransitionSet catching the error into *clientAction*.*

*See some example 
from org.apereo.cas.web.flow.configurer.DefaultWebflowConfigurer*

*See as well https://github.com/apereo/cas/pull/3138 that shows how the 
webflow can be modify in the case of pac4j*

On Tuesday, January 23, 2018 at 4:10:34 PM UTC+1, Oscar del Pozo wrote:
>
> Hi!
>
> I'm migrating from CAS 4.0.5 to 5.2.1 and everything has gone perfect but 
> I'm facing a problem with the Google OAuth authentication.
>
> I have configured a delegate authentication to Google with pac4j 
> successfully but I need to make a modification, only allow the emails which 
> end with *@companyname.com  *(I do agree that 
> this kind of things should not be done at CAS because this is about 
> authorization and not authentication, but I have to)
>
> I have added a new AuthorizationGenerator to the Google2Client instance 
> so, after the retrieve the user profile with the *Google2ProfileDefinition 
> *class, I make my validation and in case that the user email is not a 
> valid one, I set the profile identifier no blank. The blank 
> identifier causes a *FailedLoginException *at 
> *AbstractPac4jAuthenticationHandler.*
>
> Everything seems to work fine but finally, I get the following exception 
> and the CAS error page is shown.
>  
>
> 2018-01-23 15:58:48,581 DEBUG 
>> [org.pac4j.oauth.profile.creator.OAuth20ProfileCreator] - > access_token: ya29.Glx... to profile>
>> 2018-01-23 15:58:48,581 DEBUG 
>> [org.pac4j.oauth.profile.google2.Google2Profile] -  key: 
>> access_token / value:XXX-XXX / class java.lang.String>
>> 2018-01-23 15:58:48,581 DEBUG [org.pac4j.oauth.client.Google2Client] - 
>> > {name.familyName=del Pozo, 
>> emails=[org.pac4j.oauth.profile.google2.Google2Email@64f6a901], 
>> access_token=..., gender=MALE, displayName=Oscar del Pozo, 
>> name.givenName=Oscar, ... |>
>> 2018-01-23 15:58:49,599 WARN 
>> [org.apereo.cas.support.pac4j.oauth.MyProfileAuthorizationGenerator] 
>> - 
>> 2018-01-23 15:58:49,599 DEBUG 
>> [org.pac4j.oauth.profile.google2.Google2Profile] 
>> - 
>> 2018-01-23 15:58:51,789 ERROR 
>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
>> > authentication handler that supports 
>> [org.apereo.cas.authentication.principal.ClientCredential@2f8fc6b0[id=]]
>>  
>> of type [ClientCredential].>
>> 2018-01-23 15:58:53,216 INFO 
>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - > trail record BEGIN
>> =
>> WHO: null
>> WHAT: Supplied credentials: 
>> [org.apereo.cas.authentication.principal.ClientCredential@2f8fc6b0[id=]]
>> ACTION: AUTHENTICATION_SUCCESS   (This is a reported bug, the 
>> authentication has actually failed: 
>> https://github.com/apereo/inspektr/pull/10)
>> APPLICATION: CAS
>> WHEN: Tue Jan 23 15:58:53 CET 2018
>> CLIENT IP ADDRESS: 192.168.56.1
>> SERVER IP ADDRESS: 192.168.56.1
>> =
>> >
>> 2018-01-23 15:58:53,247 ERROR 
>> [org.springframework.boot.web.support.ErrorPageFilter] - > error page from request [/login] due to exception [Exception thrown 
>> executing 
>> org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction@848f27e
>>  
>> in state 'clientAction' of flow 'login' -- action execution attributes were 
>> 'map[[empty]]']>
>
> at 
>> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:60)
>>  
>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>> at 
>> org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)
>>  
>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>> at 
>> org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
>>  
>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] 
>> [...]
>> Caused by: org.apereo.cas.authentication.AuthenticationException: 1 
>> errors, 0 successes
>> at 
>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.evaluateFinalAuthentication(PolicyBasedAuthenticationManager.java:400)
>>  
>> ~[cas-server-core-authentication-5.2.1.jar:5.2.1]
>> at 
>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticateInternal(PolicyBasedAuthenticationManager.java:380)
>>  
>> ~[cas-server-core-authentication-5.2.1.jar:5.2.1]
>> at 
>>

[cas-user] Re: pac4j Google2Client auth delegation: How to unauthorize a profile?

2018-01-24 Thread Oscar del Pozo 
Hi Martin,

Thanks for your response. Sadly, I think that the result of implementing a 
custom Authentication Handler would be the same that I have now, a 
redirection to CAS error page since with my current implementation I'm 
throwing a FailedLoginException that it is exactly the same that you're 
doing.

So, I think that my question is not the correct one. I guess what I need is 
to modify the login-webflow to define what to do when an authentication 
failure happens. I'll follow the 
guide https://apereo.github.io/2016/10/07/webflow-extcfg/ to try to do it.

Regards



El miércoles, 24 de enero de 2018, 3:43:27 (UTC+1), Martin Bohun escribió:
>
> Hello Oscar,
>
> This is an example of one possible solution:
> Our cas project (based on cas-4.0.x), uses Delegated Authentication 
> (Facebook/Google/Twitter) to perform "one click" SignUp/SignIn.
> We use a custom auth handler that uses the attributes (email, first_name, 
> surname) returned by Facebook/Google/Twitter to either:
> a) SignIn user if user with that email exist in the system already, OR
> b) SignUp create the user in our system, and proceed to SignIn
>
> So at that point in the code where we are receiving/processing the email 
> address returned by Facebook/Google/Twitter:
>
> https://github.com/AtlasOfLivingAustralia/ala-cas-2.0/blob/master/src/main/java/org/jasig/cas/support/pac4j/authentication/handler/support/ALAClientAuthenticationHandler.java#L121
>
> one could do the type of filtering you want:
> a) hardcode it there
> b) externalize the email validation/check regexp into some 
> properties/config file so 
> c) fast/phugly/hack do the filtering in your LDAP, SQL query,
> etc.
>
> regards,
>
> martin
>
> On Wednesday, January 24, 2018 at 2:10:34 AM UTC+11, Oscar del Pozo wrote:
>>
>> Hi!
>>
>> I'm migrating from CAS 4.0.5 to 5.2.1 and everything has gone perfect but 
>> I'm facing a problem with the Google OAuth authentication.
>>
>> I have configured a delegate authentication to Google with pac4j 
>> successfully but I need to make a modification, only allow the emails which 
>> end with *@companyname.com  *(I do agree that 
>> this kind of things should not be done at CAS because this is about 
>> authorization and not authentication, but I have to)
>>
>> I have added a new AuthorizationGenerator to the Google2Client instance 
>> so, after the retrieve the user profile with the *Google2ProfileDefinition 
>> *class, I make my validation and in case that the user email is not a 
>> valid one, I set the profile identifier no blank. The blank 
>> identifier causes a *FailedLoginException *at 
>> *AbstractPac4jAuthenticationHandler.*
>>
>> Everything seems to work fine but finally, I get the following exception 
>> and the CAS error page is shown.
>>  
>>
>> 2018-01-23 15:58:48,581 DEBUG 
>>> [org.pac4j.oauth.profile.creator.OAuth20ProfileCreator] - >> access_token: ya29.Glx... to profile>
>>> 2018-01-23 15:58:48,581 DEBUG 
>>> [org.pac4j.oauth.profile.google2.Google2Profile] -  key: 
>>> access_token / value:XXX-XXX / class java.lang.String>
>>> 2018-01-23 15:58:48,581 DEBUG [org.pac4j.oauth.client.Google2Client] - 
>>> >> {name.familyName=del Pozo, 
>>> emails=[org.pac4j.oauth.profile.google2.Google2Email@64f6a901], 
>>> access_token=..., gender=MALE, displayName=Oscar del Pozo, 
>>> name.givenName=Oscar, ... |>
>>> 2018-01-23 15:58:49,599 WARN 
>>> [org.apereo.cas.support.pac4j.oauth.MyProfileAuthorizationGenerator] 
>>> - 
>>> 2018-01-23 15:58:49,599 DEBUG 
>>> [org.pac4j.oauth.profile.google2.Google2Profile] 
>>> - 
>>> 2018-01-23 15:58:51,789 ERROR 
>>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
>>> >> authentication handler that supports 
>>> [org.apereo.cas.authentication.principal.ClientCredential@2f8fc6b0[id=]]
>>>  
>>> of type [ClientCredential].>
>>> 2018-01-23 15:58:53,216 INFO 
>>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - >> trail record BEGIN
>>> =
>>> WHO: null
>>> WHAT: Supplied credentials: 
>>> [org.apereo.cas.authentication.principal.ClientCredential@2f8fc6b0[id=]]
>>> ACTION: AUTHENTICATION_SUCCESS   (This is a reported bug, the 
>>> authentication has actually failed: 
>>> https://github.com/apereo/inspektr/pull/10)
>>> APPLICATION: CAS
>>> WHEN: Tue Jan 23 15:58:53 CET 2018
>>> CLIENT IP ADDRESS: 192.168.56.1
>>> SERVER IP ADDRESS: 192.168.56.1
>>> =
>>> >
>>> 2018-01-23 15:58:53,247 ERROR 
>>> [org.springframework.boot.web.support.ErrorPageFilter] - >> error page from request [/login] due to exception [Exception thrown 
>>> executing 
>>> org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction@848f27e
>>>  
>>> in state 'clientAction' of flow 'login' -- action execution attributes were 
>>> 'map[[empty]]']>
>>
>> at 
>>>

[cas-user] Re: pac4j Google2Client auth delegation: How to unauthorize a profile?

2018-01-23 Thread Martin Bohun 
Hello Oscar,

This is an example of one possible solution:
Our cas project (based on cas-4.0.x), uses Delegated Authentication 
(Facebook/Google/Twitter) to perform "one click" SignUp/SignIn.
We use a custom auth handler that uses the attributes (email, first_name, 
surname) returned by Facebook/Google/Twitter to either:
a) SignIn user if user with that email exist in the system already, OR
b) SignUp create the user in our system, and proceed to SignIn

So at that point in the code where we are receiving/processing the email 
address returned by Facebook/Google/Twitter:
https://github.com/AtlasOfLivingAustralia/ala-cas-2.0/blob/master/src/main/java/org/jasig/cas/support/pac4j/authentication/handler/support/ALAClientAuthenticationHandler.java#L121

one could do the type of filtering you want:
a) hardcode it there
b) externalize the email validation/check regexp into some 
properties/config file so 
c) fast/phugly/hack do the filtering in your LDAP, SQL query,
etc.

regards,

martin

On Wednesday, January 24, 2018 at 2:10:34 AM UTC+11, Oscar del Pozo wrote:
>
> Hi!
>
> I'm migrating from CAS 4.0.5 to 5.2.1 and everything has gone perfect but 
> I'm facing a problem with the Google OAuth authentication.
>
> I have configured a delegate authentication to Google with pac4j 
> successfully but I need to make a modification, only allow the emails which 
> end with *@companyname.com  *(I do agree that 
> this kind of things should not be done at CAS because this is about 
> authorization and not authentication, but I have to)
>
> I have added a new AuthorizationGenerator to the Google2Client instance 
> so, after the retrieve the user profile with the *Google2ProfileDefinition 
> *class, I make my validation and in case that the user email is not a 
> valid one, I set the profile identifier no blank. The blank 
> identifier causes a *FailedLoginException *at 
> *AbstractPac4jAuthenticationHandler.*
>
> Everything seems to work fine but finally, I get the following exception 
> and the CAS error page is shown.
>  
>
> 2018-01-23 15:58:48,581 DEBUG 
>> [org.pac4j.oauth.profile.creator.OAuth20ProfileCreator] - > access_token: ya29.Glx... to profile>
>> 2018-01-23 15:58:48,581 DEBUG 
>> [org.pac4j.oauth.profile.google2.Google2Profile] -  key: 
>> access_token / value:XXX-XXX / class java.lang.String>
>> 2018-01-23 15:58:48,581 DEBUG [org.pac4j.oauth.client.Google2Client] - 
>> > {name.familyName=del Pozo, 
>> emails=[org.pac4j.oauth.profile.google2.Google2Email@64f6a901], 
>> access_token=..., gender=MALE, displayName=Oscar del Pozo, 
>> name.givenName=Oscar, ... |>
>> 2018-01-23 15:58:49,599 WARN 
>> [org.apereo.cas.support.pac4j.oauth.MyProfileAuthorizationGenerator] 
>> - 
>> 2018-01-23 15:58:49,599 DEBUG 
>> [org.pac4j.oauth.profile.google2.Google2Profile] 
>> - 
>> 2018-01-23 15:58:51,789 ERROR 
>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
>> > authentication handler that supports 
>> [org.apereo.cas.authentication.principal.ClientCredential@2f8fc6b0[id=]]
>>  
>> of type [ClientCredential].>
>> 2018-01-23 15:58:53,216 INFO 
>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - > trail record BEGIN
>> =
>> WHO: null
>> WHAT: Supplied credentials: 
>> [org.apereo.cas.authentication.principal.ClientCredential@2f8fc6b0[id=]]
>> ACTION: AUTHENTICATION_SUCCESS   (This is a reported bug, the 
>> authentication has actually failed: 
>> https://github.com/apereo/inspektr/pull/10)
>> APPLICATION: CAS
>> WHEN: Tue Jan 23 15:58:53 CET 2018
>> CLIENT IP ADDRESS: 192.168.56.1
>> SERVER IP ADDRESS: 192.168.56.1
>> =
>> >
>> 2018-01-23 15:58:53,247 ERROR 
>> [org.springframework.boot.web.support.ErrorPageFilter] - > error page from request [/login] due to exception [Exception thrown 
>> executing 
>> org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction@848f27e
>>  
>> in state 'clientAction' of flow 'login' -- action execution attributes were 
>> 'map[[empty]]']>
>
> at 
>> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:60)
>>  
>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>> at 
>> org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)
>>  
>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>> at 
>> org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
>>  
>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] 
>> [...]
>> Caused by: org.apereo.cas.authentication.AuthenticationException: 1 
>> errors, 0 successes
>> at 
>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.evaluateFinalAuthentication(PolicyBasedAuthenticationManager.java:400)
>>  
>> ~[cas-server-core-authentication-5.2.1.jar:5.2.1]
>> at 
>>