Hello, Thank you, it seems to work now as expected with this patch.
Regards. Le 10/03/2021 à 09:40, Pavlos Drandakis a écrit : > Hi Philippe, > > it seems that gauth validation, is now fixed > (https://github.com/apereo/cas/commit/e7cb3b8b44867addcb6b8510cbbed45cbc9b265f > <https://github.com/apereo/cas/commit/e7cb3b8b44867addcb6b8510cbbed45cbc9b265f>). > > Pavlos > > On Tue, Mar 9, 2021 at 10:19 PM 'Philippe MARASSE' via CAS Community > <[email protected] <mailto:[email protected]>> wrote: > > Folks, > > Since we've installed our new cas v6.3.0 with MFA (gauth or u2f), > we've > ran into a strange issue : > - TOTP registering works fine, first check of TOTP code is > verified ok > (a bad code is rejected, as expected) > - TOTP input before accessing a service is asked, but whatever > numerical input can be sent, it will always be accepted ?? > > In other words : Google authenticator TOTP does not work for us. > > I've set trace level on org.apereo.cas.gauth package, then used > 1234 as > TOTP token (expected tokens are 6 digit long) : > > 2021-03-09 20:59:30,214 DEBUG > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > <Attempting authentication of [1234] using > [GoogleAuthenticatorAuthenticationHandler]> > 2021-03-09 20:59:30,215 TRACE > > [org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator] > - <Received OTP [1234] assigned to account [1614873350660]> > 2021-03-09 20:59:30,215 TRACE > > [org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator] > - <Received principal id [testuser]. Attempting to locate account in > credential repository...> > 2021-03-09 20:59:30,215 TRACE > > [org.apereo.cas.gauth.credential.RedisGoogleAuthenticatorTokenCredentialRepository] > - <Fetching Google Authenticator records based on key > [RedisGoogleAuthenticatorTokenCredentialRepository:testuser:*]> > 2021-03-09 20:59:30,218 TRACE > > [org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator] > - <Attempting to locate OTP token [1234] in token repository for > [testuser]...> > 2021-03-09 20:59:30,219 TRACE > [org.apereo.cas.gauth.token.GoogleAuthenticatorRedisTokenRepository] - > <Locating token by identifier [testuser] using key > [GoogleAuthenticatorRedisTokenRepository:testuser:1234]> > 2021-03-09 20:59:30,220 DEBUG > > [org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator] > - <Attempting to authorize OTP token [1234]...> > 2021-03-09 20:59:30,232 DEBUG > [org.apereo.cas.gauth.GoogleAuthenticatorAuthenticationHandler] - > <Validated OTP token [OneTimeToken(id=1615319970224, token=1234, > userId=testuser, issuedDateTime=2021-03-09T20:59:30.224663)] > successfully for [testuser]> > 2021-03-09 20:59:30,232 TRACE > [org.apereo.cas.gauth.token.GoogleAuthenticatorRedisTokenRepository] - > <Saving token [OneTimeToken(id=1615319970224, token=1234, > userId=testuser, issuedDateTime=2021-03-09T20:59:30.224663)] using key > [GoogleAuthenticatorRedisTokenRepository:testuser:1234]> > 2021-03-09 20:59:30,281 TRACE > [org.apereo.cas.gauth.token.GoogleAuthenticatorRedisTokenRepository] - > <Saved token [OneTimeToken(id=1615319970224, token=1234, > userId=testuser, issuedDateTime=2021-03-09T20:59:30.224663)]> > 2021-03-09 20:59:30,282 DEBUG > [org.apereo.cas.gauth.GoogleAuthenticatorAuthenticationHandler] - > <Creating authentication result and building principal for [testuser]> > 2021-03-09 20:59:30,282 DEBUG > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > <Authentication handler [GoogleAuthenticatorAuthenticationHandler] > successfully authenticated > > [GoogleAuthenticatorTokenCredential(super=OneTimeTokenCredential(token=1234), > accountId=1614873350660)]> > > our dependencies : > > dependencies { > implementation > "org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}" > implementation > > "org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}" > implementation > "org.apereo.cas:cas-server-support-reports:${project.'cas.version'}" > > implementation > "org.apereo.cas:cas-server-support-u2f:${project.'cas.version'}" > implementation > "org.apereo.cas:cas-server-support-u2f-redis:${project.'cas.version'}" > > implementation > "org.apereo.cas:cas-server-support-gauth:${project.'cas.version'}" > implementation > "org.apereo.cas:cas-server-support-gauth-redis:${project.'cas.version'}" > > implementation > "org.apereo.cas:cas-server-support-saml:${project.'cas.version'}" > > implementation > > "org.apereo.cas:cas-server-support-redis-ticket-registry:${project.'cas.version'}" > } > > And relevant configuation in cas.properties : > > cas.authn.mfa.gauth.code-digits=6 > cas.authn.mfa.gauth.time-step-size=30 > cas.authn.mfa.gauth.rank=2 > > Any idea ? > > Regards. > > -- > Philippe MARASSE > > Responsable pôle Infrastructures - DSIO > Centre Hospitalier Henri Laborit > CS 10587 - 370 avenue Jacques Cœur > 86021 Poitiers Cedex > Tel : 05.49.44.57.19 > > > -- > - Website: https://apereo.github.io/cas <https://apereo.github.io/cas> > - Gitter Chatroom: https://gitter.im/apereo/cas > <https://gitter.im/apereo/cas> > - List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7> > - Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG> > --- > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected] > <mailto:cas-user%[email protected]>. > To view this discussion on the web visit > > https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc1587ac-f726-9fc1-00fb-bf37260690c0%40ch-poitiers.fr > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc1587ac-f726-9fc1-00fb-bf37260690c0%40ch-poitiers.fr>. > > -- > - Website: https://apereo.github.io/cas <https://apereo.github.io/cas> > - Gitter Chatroom: https://gitter.im/apereo/cas > <https://gitter.im/apereo/cas> > - List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7> > - Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG> > --- > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] > <mailto:[email protected]>. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAKP%3DBg399cLmUhd9qEiv0aAx1Xs6z4HzOtPmqD9muj19Gui7LA%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAKP%3DBg399cLmUhd9qEiv0aAx1Xs6z4HzOtPmqD9muj19Gui7LA%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- Philippe MARASSE Responsable pôle Infrastructures Direction de l'Informatique, Support à la Communication et à l'Organisation (DISCO) Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/53aed2e1-f550-681e-32dc-2acc42c0b53b%40ch-poitiers.fr.
smime.p7s
Description: Signature cryptographique S/MIME
