[cas-user] CAS OIDC: Configure different scope with different claims

2019-04-04 Thread Devendra Sisodia 
Hello all,

I have configured CAS 5.3.6 with protocol OpenId Connect protocol for
authentication.
Issue 1:
Each scope should map to at least one or more claims. Right now it doesn’t
matter which scope is chosen, always same set of claims is returned. Even
if you provide no claims at all it still works, but should result in an
error.

Issue 2:
https://cas.example.org:8443/sso/oidc/.well-known/  =>
"id_token_signing_alg_values_supported":["none","RS256"],

alg for signing jwt returns both valid value and "none". How to avoid
"none" ?


cas.properties:
#OIDC
cas.authn.oidc.scopes=openid,profile,email,roles
cas.authn.oidc.claims = sub,email,givenName,isImpersonating, impersonator,
firstName, lastName, roles, name
cas.authn.oidc.userDefinedScopes.profile=isImpersonating, impersonator,
firstName, lastName, roles
cas.authn.oidc.userDefinedScopes.email=email
cas.authn.oidc.userDefinedScopes.roles=roles
cas.authn.oidc.issuer=http://cas.example.org:8443/cas/oidc
# Map predefined OIDC claims to our principal (user) attributes
cas.authn.oidc.claimsMap.givenName=firstName
cas.authn.oidc.claimsMap.lastName=lastName
cas.authn.oidc.claimsMap.mail=email
cas.authn.oidc.claimsMap.authorites=roles
cas.authn.oidc.claimsMap.name=name

-- 
Thanks & regards,
Devendra
Mobile: +49 1748437888

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CACE83cXti3mvOA_PxwuOQtZdALfW6SUQW5yS70PGhe9SXgbtUg%40mail.gmail.com.

[cas-user] Exposing public key via url for 'JWT as Service Tickets'

2018-12-21 Thread Devendra Sisodia 
Hello all,
I am configuring JWT as Service Ticket and have used RSA public/private
keys to sign/verify it.
As convince for the consumers of JWT I want to expose public key via a url.
Does cas provide a way to do so ?

Thanks,
Devendra

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CACE83cUf_TKFEXoriG4EUumfj5vXmr0uR5J06n%2BBg6CoXbK2zA%40mail.gmail.com.

Re: [cas-user] Re: JWT without encryption key

2018-12-14 Thread Devendra Sisodia 
Hello,

Big Thanks for sharing configuration and as a result JWT is not encrypted
and only signed.

But now I face strange issue. when I try to verify signature it fails. I am
using AES and single key to sign and JWT is generated. But the generate JWT
fails signature verification.

JWT generated as below:
2018-12-14 12:33:00,684 DEBUG [org.apereo.cas.token.JWTTokenTicketBuilder]
- http://localhost:/api] in service registry>
2018-12-14 12:33:00,685 DEBUG [org.apereo.cas.token.JWTTokenTicketBuilder]
- http://localhost:/api] in service registry>
2018-12-14 12:33:00,690 WARN
[org.apereo.cas.util.cipher.BaseStringCipherExecutor] - 
2018-12-14 12:33:00,690 WARN
[org.apereo.cas.util.cipher.BaseStringCipherExecutor] - 
2018-12-14 12:33:00,690 DEBUG [org.apereo.cas.token.JWTTokenTicketBuilder]
- http://localhost:/api
]>
2018-12-14 12:33:00,734 DEBUG
[org.apereo.cas.authentication.principal.DefaultResponse] - http://localhost:/api]>
2018-12-14 12:33:00,736 DEBUG
[org.apereo.cas.authentication.principal.DefaultResponse] - http://localhost:/api?redirect=true=eyJhbGciOiJSUzUxMiJ9

Verfication code used is:
final Key key = new AesKey(jwtSigning.getBytes(StandardCharsets.UTF_8));

final JsonWebSignature jws = new JsonWebSignature();
jws.setCompactSerialization(secureJwt);
jws.setKey(key);
if (!jws.verifySignature()) {
throw new Exception("JWT verification failed");
}

On Thu, Dec 13, 2018 at 3:40 PM Giuseppe Infurna 
wrote:

>
> yes
>
>
> ###Token/JWT Tickets ENCRIPTION
> cas.authn.token.crypto.enabled=true
>
> cas.authn.token.crypto.signing-enabled=true
> cas.authn.token.crypto.signing.key=
> Dkkpi7iUKqidOXXmeAbr4RyHirYmgQgqqUrIo6q_JPNks2iqX2l95jVVoZQDWLNiFnhQF43agCtdMxRnIXOO9g
>
> cas.authn.token.crypto.encryption-enabled=false
> cas.authn.token.crypto.encryption.key=
>
> and
>
> {
>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>   "serviceId" : "^(http|https)://?localhost(:8081|:9060|:9000)?/.*",
>   "name" : "myApplication",
>   "theme" : "myApplication",
>   "id" : 1003,
>   "description" : "My Application",
>   "evaluationOrder" : 1,
>   "usernameAttributeProvider" : {
> "@class" :
> "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider"
>   },
>   "attributeReleasePolicy" : {
> "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
>   },
>   "accessStrategy" : {
> "@class" :
> "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy",
> "enabled" : true,
> "ssoEnabled" : true
>   },
>   "proxyPolicy" : {
> "@class" :
> "org.jasig.cas.services.RegexMatchingRegisteredServiceProxyPolicy",
> "pattern" : "^(http|https)?://.*"
>   },
>   "properties" : {
> "@class" : "java.util.HashMap",
> "jwtAsServiceTicket" : {
>   "@class" :
> "org.apereo.cas.services.DefaultRegisteredServiceProperty",
>   "values" : [ "java.util.HashSet", [ "true" ] ]
> }
>   }
> }
>
>
>
> Il giorno giovedì 13 dicembre 2018 14:55:49 UTC+1, Devendra Sisodia ha
> scritto:
>>
>> Sorry, but this does not work.
>> How's your service(one with definition of 'jwtAsServiceTicket', etc)
>> looks like ?
>>
>>
>> On Thu, Dec 13, 2018 at 2:09 PM Giuseppe Infurna 
>> wrote:
>>
>>> Hi all,
>>>  I'm work fine with
>>>
>>> cas.authn.token.crypto.encryption-enabled=false
>>> cas.authn.token.crypto.encryption.key=
>>>
>>>
>>> Il giorno lunedì 12 novembre 2018 16:44:10 UTC+1, Xavier Rodríguez ha
>>> scritto:
>>>>
>>>> I'm configuring Cas Server 5.3.3. In one service I need to response a
>>>> JWT without encryption. Is it possible?
>>>>
>>>> I have changed in cas.properties:
>>>>
>>>> cas.authn.token.crypto.encryptionEnabled=false
>>>>
>>>> But it not has effect. In my service I don't configure the property too:
>>>>
>>>> "jwtAsServiceTicketEncryptionKey"
>>>>
>>>> How can I disable this property?
>>>>
>>>> Regards!
>>>>
>>>> - Xavier -
>>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Con