Hi, thanks for the response!
Actually what seems to happen is that when */authorize* is called, the CAS
*OAuth20HandlerInterceptorAdapter.preHandle() *is invoked which in turn
invokes the pac4j *SecurityInterceptor*. Eventually the
*org.pac4j.core.engine.DefaultSecurityLogic
*gets called and it checks (via DefaultAuthorizationChecker) if an active
pac4j profile can be found in the session store. It seems like if I call
/authorize within some time (~10min?) after a successful login to CAS, then
there is an active profile in the session and the authentication &
authorization is considered valid and access is granted.
However after waiting for some time, when I call */authorize*, then there
is no profile in the session store and eventually we end up in the MFA
step.
Is anyone able to explain how this works and if there is some way to affect
the profile expiration in the session store, so that the pac4j engine would
NOT consider the request authorized? I suppose we would want to otherwise
keep the default functionality, but for some specific oauth clients we
would want MFA be triggered on EVERY request to /authorize.
I might be completely lost too, would be happy to receive some insight on
this if someone is aware :)
Many thanks!
Tom
On Wednesday 8 May 2024 at 03:39:51 UTC+3 Ray Bon wrote:
> Tom,
>
> Could it be that the groovy script is returning null or a value that cas
> does not understand?
>
> Ray
>
> On Tue, 2024-05-07 at 06:49 -0700, tjan...@gmail.com wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
>
> Hello!
>
> I'm trying to trigger MFA even if the user is authenticated and the TGT
> participates in the existing SSO session, but somehow the behavior is
> inconsistent. I'm using OAuth authorization code flow and already somehow
> managed to execute a flow where after a call to /authorize, the user was
> NOT requested to authenticate (due to active SSO), but still the MFA policy
> was triggered as expected.
>
> Now I'm unable to reproduce that. Instead whenever I send a request to
> /authorize, I get redirected to the service redirect URL with an OAuth code
> in the query parameters. Instead I would like the MFA provider to get
> triggered on each call to /authorize for this specific service.
>
> In the service configuration I have defined:
> "multifactorPolicy":{
> "@class":"
> org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
> "script":"classpath:groovy/forceMfaPolicy.groovy",
> "bypassEnabled":"false",
> "forceExecution":"true"
> }
>
> What might be the correct way to enforce MFA even if an SSO session is
> active and being participated in?
>
> Thank you!
> Tom
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/322d64e1-caf0-41a0-a7d9-c783b3166d4cn%40apereo.org.
