[cas-user] OAuth Callback Redirect Issue - Browser Prefetch Conflict

2020-05-28 Thread Justin Isenhour 
All,

I am currently running CAS 5.3.7 in production and have gotten a few 
reports from users that if they already have an SSO session and attempt to 
go to one of our client app URLs directly they end up on our main SSO 
landing page instead of getting to the client app, all users so far have 
been using Chrome browser.  After much troubleshooting I have discovered 
the root of the issue.  It seems that when a user is typing the URL into 
the address bar that Chrome, in some cases, will execute a Prefetch call to 
the URL before the user presses enter to load the site.  In this case the 
prefetch call triggers the OAuth SSO process and while tracing you can see 
a full set of redirect/interactions, all with header Purpose: Prefetch.  
There is a rare timing situation that can occur if the user presses enter 
to load the client site close enough to the time the browser is executing 
the prefetch call.  After digging through the CAS 5.3.7 code I see 
in OAuth20CallbackAuthorizeEndpointController, line 68, callback.perform.  
This calls DefaultCallbackLogic class from pac4j, and during 
method redirectToOriginallyRequestedUrl, the redirect happens.  The 
originally requested URLs is expected to be stored in the session object 
and once it is fetched the session value is set to null to clean up the 
session, if empty then it will redirect to default URL which is /.  In this 
rare timing situation it seems that the prefetch is happening first and 
clears the redirect URL from the session after the real request hit the 
server but before it triggers the callback method.  This means that when 
the real request executes the callback the session object has already been 
cleared, resulting in a redirect to default URL (/).

Is anyone else aware of this?  Does anyone have a solution in mind other 
than overriding the pac4j logic myself to not clean up the session?  

FYI - I know this could be handled by turning off the prefetch setting in 
the browser but that is a less favorable option as of now because we have a 
large population of users (30k) that we do not control the browser setting 
for through our Corporate GPO, these are external clients that we federate 
with (100+ different client organizations).


Thanks in advance,
Justin Isenhour

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4747bcbd-e3ea-4640-bef9-eaf97c98b6fe%40apereo.org.

Re: [cas-user] Re: What is sign key for JWT in CAS OAuth2?

2020-05-28 Thread Ray Bon 
The field identifier, cas.authn.oauth.crypto.signing.key, is different than the 
one you have in your properties, 
cas.authn.oauth.access-token.crypto.signing.key.

Perhaps both are needed.

Ray

On Thu, 2020-05-28 at 09:19 -0700, dg wrote:
hi, thanks for response. i am little confused. does cas generate an sign key 
automatically even if I have set the sign key?

here is my logs

2020-05-28 19:05:54,024 INFO [org.apereo.cas.util.CoreTicketUtils] - 
2020-05-28 19:05:54,082 INFO 
[org.apereo.cas.util.cipher.BaseStringCipherExecutor] - 
2020-05-28 19:05:54,082 INFO 
[org.apereo.cas.util.cipher.BaseStringCipherExecutor] - 
2020-05-28 19:05:54,205 INFO 
[org.apereo.cas.util.cipher.BaseStringCipherExecutor] - 
2020-05-28 19:05:54,221 WARN 
[org.apereo.cas.util.cipher.BaseStringCipherExecutor] - 
2020-05-28 19:05:54,227 WARN 
[org.apereo.cas.util.cipher.BaseStringCipherExecutor] - 
2020-05-28 19:05:54,228 WARN 
[org.apereo.cas.util.cipher.BaseStringCipherExecutor] - 
2020-05-28 19:05:54,228 WARN 
[org.apereo.cas.util.cipher.BaseStringCipherExecutor] - 
2020-05-28 19:05:54,479 WARN 
[org.apereo.cas.util.cipher.BaseStringCipherExecutor] - 
2020-05-28 19:05:54,479 WARN 
[org.apereo.cas.util.cipher.BaseStringCipherExecutor] - 
2020-05-28 19:05:54,480 WARN 
[org.apereo.cas.util.cipher.BaseStringCipherExecutor] - 
2020-05-28 19:05:54,480 WARN 
[org.apereo.cas.util.cipher.BaseStringCipherExecutor] - 
2020-05-28 19:05:54,657 WARN 
[org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - 
2020-05-28 19:05:54,657 WARN 
[org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - 
2020-05-28 19:05:54,658 WARN 
[org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - 
2020-05-28 19:05:54,660 WARN 
[org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - 
2020-05-28 19:05:57,693 INFO [org.apereo.cas.web.CasWebApplication] - 
2020-05-28 19:05:57,701 INFO [org.apereo.cas.web.CasWebApplication] - <>
2020-05-28 19:05:57,701 INFO [org.apereo.cas.web.CasWebApplication] - <


    ____   __
 |  _ \| |  / \  |  _ \ \ / /
 | |_) |  _|   / _ \ | | | \ V /
 |  _ <| |___ / ___ \| |_| || |
 |_| \_\_/_/   \_\/ |_|

>

i used this key in my resource server, but nothing changed, still validation 
error.

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ Nations.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f8a1be08f238cec7b350d417a856a6b607a724d0.camel%40uvic.ca.

[cas-user] Re: What is sign key for JWT in CAS OAuth2?

2020-05-28 Thread dg 
hi, thanks for response. i am little confused. does cas generate an sign 
key automatically even if I have set the sign key? 

here is my logs

2020-05-28 19:05:54,024 INFO [org.apereo.cas.util.CoreTicketUtils] - 

2020-05-28 19:05:54,082 INFO 
[org.apereo.cas.util.cipher.BaseStringCipherExecutor] - 
2020-05-28 19:05:54,082 INFO 
[org.apereo.cas.util.cipher.BaseStringCipherExecutor] - 
2020-05-28 19:05:54,205 INFO 
[org.apereo.cas.util.cipher.BaseStringCipherExecutor] - 
2020-05-28 19:05:54,221 WARN 
[org.apereo.cas.util.cipher.BaseStringCipherExecutor] - 
2020-05-28 19:05:54,227 WARN 
[org.apereo.cas.util.cipher.BaseStringCipherExecutor] - 
2020-05-28 19:05:54,228 WARN 
[org.apereo.cas.util.cipher.BaseStringCipherExecutor] - 
2020-05-28 19:05:54,228 WARN 
[org.apereo.cas.util.cipher.BaseStringCipherExecutor] - **
2020-05-28 19:05:54,479 WARN 
[org.apereo.cas.util.cipher.BaseStringCipherExecutor] - 
2020-05-28 19:05:54,479 WARN 
[org.apereo.cas.util.cipher.BaseStringCipherExecutor] - 
2020-05-28 19:05:54,480 WARN 
[org.apereo.cas.util.cipher.BaseStringCipherExecutor] - 
2020-05-28 19:05:54,480 WARN 
[org.apereo.cas.util.cipher.BaseStringCipherExecutor] - 
2020-05-28 19:05:54,657 WARN 
[org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - 
2020-05-28 19:05:54,657 WARN 
[org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - 
2020-05-28 19:05:54,658 WARN 
[org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - 
2020-05-28 19:05:54,660 WARN 
[org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - 
2020-05-28 19:05:57,693 INFO [org.apereo.cas.web.CasWebApplication] - 

2020-05-28 19:05:57,701 INFO [org.apereo.cas.web.CasWebApplication] - <>
2020-05-28 19:05:57,701 INFO [org.apereo.cas.web.CasWebApplication] - <


    ____   __
 |  _ \| |  / \  |  _ \ \ / /
 | |_) |  _|   / _ \ | | | \ V /
 |  _ <| |___ / ___ \| |_| || |
 |_| \_\_/_/   \_\/ |_|

>

i used this key in my resource server, but nothing changed, still 
validation error. 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/88abbac6-db96-4460-9a16-b4e04d23ab1b%40apereo.org.

Re: [cas-user] What is sign key for JWT in CAS OAuth2?

2020-05-28 Thread Nguyen Tran Thanh Lam 
Hi
When you enable Oauth2, the signing key show in your logs when you build
CAS.
Don't worry about CAS build fail.
You can get signing key and build again, it will success.
Note: Oauth2 just support in CAS version 6.1.x
BRs

Vào 22:00, T.5, 28 Th5, 2020 dg  đã viết:

> I have configured CAS with OAuth2 and JWT as access token like this;
> https://apereo.github.io/2019/02/19/cas61-as-oauth-authz-server/
>
> it works well and it returns jwt, and also i decode it in jwt.io website
> and i can see payload. *but i cant validate JWT in resource server. i
> have same signing key in resource server.*
>
> my cas configs
>
> cas.authn.oauth.access-token.crypto.enabled=true
> cas.authn.oauth.access-token.crypto.signing-enabled=true
> cas.authn.oauth.access-token.crypto.encryption-enabled=false
> cas.authn.oauth.access-token.crypto.signing.key=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgYXF7qeNDWxzVVCkFaFwxGixkryifkDbu82n00fvT/ab2lx3KD3IxP9wqo3d3hUOZT7HeTlmvzJu2lZx0zLVnumz0m+Ksa5cuFyIEQ2nqkbi2bfD+moxEoCS6hXCvttihS8gyaJrHlHzvNugAGArSviNOJAdTrPJrIzcoqMxuC9UKoF8XJ6HirQOsR1+xSzqFeWxjCDe5IUJG0RA31rC7BbAJ148Ni8XUJm3UPB5+nfqGyOMYNBqiQ8OPD6D2kJKgQIy6pvSI/11bbFBL2ffWY257rh5gZJ+zQZ4cCCjDWsrWsA9okgPhPE2N/nKj1lcuqaWSj700uX0Ihxsp2l01QIDAQAB
>
>
>
> where am i wrong? don't apereo cas use 
> cas.authn.oauth.access-token.crypto.signing.key? or maybe apereo cas does 
> some additional encrpytion over sign key.
>
>
> could you provide some information? thanks for helps.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/302a2dcf-9df9-4f22-bc6c-8a5d4d01d60a%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEjUsAiJj48FPXcSvvhhMiREzTu22Q16SHwv%2B-4uHRzxU-urLw%40mail.gmail.com.

[cas-user] What is sign key for JWT in CAS OAuth2?

2020-05-28 Thread dg 
I have configured CAS with OAuth2 and JWT as access token like this; 
https://apereo.github.io/2019/02/19/cas61-as-oauth-authz-server/

it works well and it returns jwt, and also i decode it in jwt.io website 
and i can see payload. *but i cant validate JWT in resource server. i have 
same signing key in resource server.*

my cas configs

cas.authn.oauth.access-token.crypto.enabled=true
cas.authn.oauth.access-token.crypto.signing-enabled=true
cas.authn.oauth.access-token.crypto.encryption-enabled=false
cas.authn.oauth.access-token.crypto.signing.key=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgYXF7qeNDWxzVVCkFaFwxGixkryifkDbu82n00fvT/ab2lx3KD3IxP9wqo3d3hUOZT7HeTlmvzJu2lZx0zLVnumz0m+Ksa5cuFyIEQ2nqkbi2bfD+moxEoCS6hXCvttihS8gyaJrHlHzvNugAGArSviNOJAdTrPJrIzcoqMxuC9UKoF8XJ6HirQOsR1+xSzqFeWxjCDe5IUJG0RA31rC7BbAJ148Ni8XUJm3UPB5+nfqGyOMYNBqiQ8OPD6D2kJKgQIy6pvSI/11bbFBL2ffWY257rh5gZJ+zQZ4cCCjDWsrWsA9okgPhPE2N/nKj1lcuqaWSj700uX0Ihxsp2l01QIDAQAB



where am i wrong? don't apereo cas use 
cas.authn.oauth.access-token.crypto.signing.key? or maybe apereo cas does some 
additional encrpytion over sign key.


could you provide some information? thanks for helps.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/302a2dcf-9df9-4f22-bc6c-8a5d4d01d60a%40apereo.org.

[cas-user] Force user to authenticate

2020-05-28 Thread Guillaume N. 
Hello,

I'm using CAS to create a new OIDC webflow for my business uses. 

What I want is to force users to authenticate on every services. 
Instead of customize every service configuration (e.g. ssoEnabled=false) I 
want to do it globally. 

I saw other discussions on this topic on this mailing list, but couldn't 
find a satisfying answer.

I found in documentation this section: 
https://apereo.github.io/cas/5.2.x/planning/Security-Guide.html#forced-authentication

> Typically forced authentication is configured on a per-service basis, but 
> the service management 
> 
>  
> facility provides some support for implementing forced authentication as a 
> matter of centralized security policy.


It seems to be exactly what I want. So I've read the service management 
documentation section  
then
 
service management dedicated page 
.
In the last page, there is the "*Forced authentication - Provides 
administrative control for forced authentication." *item but following 
documentation relates per-service configuration. 

How can I force user to authenticate ? Is there any global oauth/oidc 
property ? Do I have to create a sub-class ? 

Thank you.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b7dc4d31-e5f5-4971-a503-29d9a6d0f106%40apereo.org.