Hi,
Thank you for the quick response. We will try with version 5.3.x.
By the way, in our case access token has to be sent as header. We see that
pac4j v2.x already allows to choose this option:
@Override
protected void signRequest(final OAuth2AccessToken accessToken, final
OAuthRequest request) {
this.configuration.getService().signRequest(accessToken, request);
if (*this.configuration.isTokenAsHeader()*) {
request.addHeader(HttpConstants.AUTHORIZATION_HEADER,
HttpConstants.BEARER_HEADER_PREFIX + accessToken.getAccessToken());
}
if (Verb.POST.equals(request.getVerb())) {
request.addParameter(OAuthConfiguration.OAUTH_TOKEN,
accessToken.getAccessToken());
}
}
Is it possible to configure this in the CAS properties or elsewhere? Right
now we are modifying the code too :-(
Regards,
David.
El jueves, 8 de noviembre de 2018, 15:09:24 (UTC+1), leleuj escribió:
>
> Hi,
>
> Since pac4j v3.2, you can set the element to use as the identifier:
> http://www.pac4j.org/docs/release-notes.html
>
> Unfortunately, CAS v5.2.2 is still based on pac4j v2.x. So the right
> version to use would be the version 5.3.x, given the fact the profileId
> could be set by properties (it's an easy improvement though).
>
> Thanks.
> Best regards,
> Jérôme
>
>
> On Thu, Nov 8, 2018 at 2:18 PM David Oteo <dot...@gmail.com <javascript:>>
> wrote:
>
>> Hello,
>>
>> We succesfully configured CAS 5.2.2 to delegate authentication to an
>> external provider through generic OAuth2 properties:
>>
>> #(Optional) Friendly name for OAuth 2 provider, e.g. "This Organization"
>> or "That Organization"
>> cas.authn.pac4j.oauth2[0].clientName=Giltza Oauth 2
>> cas.authn.pac4j.oauth2[0].id=xxx
>> cas.authn.pac4j.oauth2[0].secret=xxx
>> cas.authn.pac4j.oauth2[0].authUrl=
>> https://eidasdes.izenpe.com:8082/trustedx-authserver/izenpe/oauth
>> cas.authn.pac4j.oauth2[0].tokenUrl=
>> https://eidasdes.izenpe.com:8082/trustedx-authserver/izenpe/oauth/token
>> cas.authn.pac4j.oauth2[0].profileUrl=
>> https://eidasdes.izenpe.com:8082/trustedx-resources/openid/v1/users/me
>> cas.authn.pac4j.oauth2[0].profileVerb=GET
>> #cas.authn.pac4j.oauth2[0].profilePath=
>>
>> cas.authn.pac4j.oauth2[0].customParams.client_id=xxx
>> cas.authn.pac4j.oauth2[0].customParams.response_type=code
>> cas.authn.pac4j.oauth2[0].customParams.state=123456
>>
>> cas.authn.pac4j.oauth2[0].customParams.acr_values=urn:safelayer:tws:policies:authentication:flow:bakq|urn:safelayer:tws:policies:authentication:flow:cert
>> cas.authn.pac4j.oauth2[0].customParams.scope=urn:izenpe:identity:global
>>
>> cas.authn.pac4j.oauth2[0].profileAttrs.name=name
>> cas.authn.pac4j.oauth2[0].profileAttrs.surname1=surname1
>> cas.authn.pac4j.oauth2[0].profileAttrs.surname2=surname2
>> ...
>>
>> If we don't do anything else, the following error occurs:
>>
>> [8/11/18 13:28:57:621 CET] 000000d3 SystemOut O 2018-11-08
>> 13:28:57,611 DEBUG [org.pac4j.oauth.client.GenericOAuth20Client] -
>> <profile: #OAuth20Profile# | *id: null* | attributes:
>> {sub=978fa4ff4ea06ca1d39f35eb728b5a7e, cif=Q3890349H, country=ES,
>> birthdate=EMPTY, key_usage=EMPTY, subject=SERIALNUMBER=99999988J,
>> OID.2.5.4.4=#0C08464943544943494F, OID.2.5.4.42=#0C07434F5250524543,
>> CN=CORPREC FICTICIO ACTIVO,
>> OID.2.5.4.46=#131D2D646E692039393939393938384A202D63696620513338393033343948,
>>
>> OU=Condiciones de uso en www.izenpe.com nola erabili jakiteko,
>> OU=Ziurtagiri korporatibo onartua - Cert. corporativo reconocido, O=IZENPE,
>> C=ES, not_before=2017-03-16T12:15:29Z, tsl=S, issuer=CN=CA personal de AAPP
>> vascas (2) - DESARROLLO, OU=AZZ Ziurtagiri publikoa - Certificado publico
>> SCA, O=IZENPE S.A., C=ES,
>> acr=urn:safelayer:tws:policies:authentication:flow:cert, surname1=FICTICIO,
>> surname2=ACTIVO, email=EMPTY, dni=99999988J, tipoAfirma=0,
>> firmaCualificada=S, naturalPersonSemanticsIdentifier=IDCES-99999988J,
>> legalPersonSemanticsIdentifier=VATES-Q3890349H, serial_number=C6o=,
>> given_name=CORPREC, pais=ES, not_after=2021-03-16T12:15:29Z,
>> access_token=fc6ccaad705c4363cce28d89b7a3fd45897400c6134afd3c18d2d7a8bc8261a2,
>>
>> register_type=1, policy_identifier=1.3.6.1.4.1.14777.104.2,
>> person_status=PF, domain=izenpe, organization=EMPTY, name=CORPREC FICTICIO
>> ACTIVO, family_name=FICTICIO ACTIVO} | roles: [] | permissions: [] |
>> isRemembered: false | clientName: null | linkedId: null |>
>> [8/11/18 13:28:57:621 CET] 000000d3 SystemOut O 2018-11-08
>> 13:28:57,611 ERROR
>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
>> <Authentication has failed. Credentials may be incorrect or CAS cannot find
>> authentication handler that supports
>> [org.apereo.cas.authentication.principal.ClientCredential@2cf6f06a[id=<null>]]
>>
>> of type [ClientCredential].>
>> [8/11/18 13:28:57:621 CET] 000000d3 SystemOut O 2018-11-08
>> 13:28:57,616 INFO
>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
>> trail record BEGIN
>> =============================================================
>> WHO: null
>> WHAT: Supplied credentials:
>> [org.apereo.cas.authentication.principal.ClientCredential@2cf6f06a[id=<null>]]
>> ACTION: AUTHENTICATION_SUCCESS
>> APPLICATION: CAS
>> WHEN: Thu Nov 08 13:28:57 CET 2018
>> CLIENT IP ADDRESS: 127.0.0.1
>> SERVER IP ADDRESS: 127.0.0.1
>> =============================================================
>> [8/11/18 13:28:57:629 CET] 000000d3 SystemOut O 2018-11-08
>> 13:28:57,628 ERROR [com.ibm.ws.webcontainer.servlet.ServletWrapper] -
>> <SRVE0014E: Uncaught service() exception root cause dispatcherServlet:
>> org.springframework.web.util.NestedServletException: Request processing
>> failed; nested exception is
>> org.springframework.webflow.execution.ActionExecutionException: Exception
>> thrown executing
>> org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction@f990386
>>
>> in state 'clientAction' of flow 'login' -- action execution attributes were
>> 'map[[empty]]'
>>
>> In order to solve the problem we modified the class
>> GenericOAuth20ProfileDefinition.java of pac4j-oauth-2.3.1.jar. We just set
>> an id for the profile.
>>
>> @Override
>> public OAuth20Profile extractUserProfile(String body) throws
>> HttpAction {
>> final OAuth20Profile profile = new OAuth20Profile();
>> final JsonNode json = JsonHelper.getFirstNode(body,
>> getFirstNodePath());
>>
>> if (json != null) {
>>
>> * profile.setId(JsonHelper.getElement(json, "name"));*
>>
>> for (final String attribute : getPrimaryAttributes()) {
>> convertAndAdd(profile, attribute,
>> JsonHelper.getElement(json, attribute));
>> }
>> for (final String attribute : getSecondaryAttributes()) {
>> convertAndAdd(profile, attribute,
>> JsonHelper.getElement(json, attribute));
>> }
>> for (final Map.Entry<String, String> entry :
>> getProfileAttributes().entrySet()) {
>> final String key = entry.getKey();
>> final String value = entry.getValue();
>> convertAndAdd(profile, key, JsonHelper.getElement(json,
>> value));
>> }
>>
>> }
>> return profile;
>> }
>>
>> We think this is very ugly. Is there any other way to solve this problem
>> without modifying pac4j source code ???
>>
>> Thank you so much!
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+u...@apereo.org <javascript:>.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/04383633-87ab-46ec-abda-70daee84928c%40apereo.org
>>
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/04383633-87ab-46ec-abda-70daee84928c%40apereo.org?utm_medium=email&utm_source=footer>
>> .
>>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7ac25696-ecd8-4909-8551-1b291ed47783%40apereo.org.
