CAS delegated authentication with OAUTH2.0 not working - authentication

I was trying to add an oauth2.0 authentication provider in our cas (v6.1.x). But I was getting the following error.
2020-11-15 10:03:30,675 INFO [org.apereo.cas.web.flow.DelegatedClientAuthenticationAction] - <Credentials are successfully authenticated using the delegated client [OauthClient]>
2020-11-15 10:03:36,492 ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [ClientCredential(credentials=#OAuth20Credentials# | code: c.lKObb15ip36uiWfOYaTXEfQ | accessToken: com.github.scribejava.core.model.OAuth2AccessToken#5ca28902 |, clientName=OauthClient, typedIdUsed=true, userProfile=null)] of type [ClientCredential]. Examine the configuration to ensure a method of authentication is defined and analyze CAS logs at DEBUG level to trace the authentication event.>
2020-11-15 10:03:36,509 ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[OauthClient]: [id cannot be blank]>
2020-11-15 10:03:36,513 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: NotYetAuthenticated-e111ad8e-8e6f-4edd-9de7-d2eae5040704
As you can see the credentials are successfully authenticated. After that redirected back with unauthorized access on the browser UI with the above error.
The properties I used for delegated authentication is given below:-
cas.server.name=http://localhost:8080
cas.server.prefix=http://localhost:8080/cas
cas.authn.pac4j.oauth2[0].id=${CLIENT_ID}
cas.authn.pac4j.oauth2[0].secret=${CLIENT_SECRET}
cas.authn.pac4j.typedIdUsed=true
cas.authn.pac4j.principalAttributeId=email
cas.authn.pac4j.name=OauthClient
cas.authn.pac4j.order=0
cas.authn.pac4j.lazyInit=true
cas.authn.pac4j.oauth2[0].autoRedirect=false
cas.authn.pac4j.oauth2[0].principalAttributeId=email
cas.authn.pac4j.oauth2[0].enabled=true
cas.authn.pac4j.oauth2[0].authUrl=${AUTH_URL}
cas.authn.pac4j.oauth2[0].tokenUrl=${TOKEN_URL}
cas.authn.pac4j.oauth2[0].profileUrl=${PROFILE_URL}
cas.authn.pac4j.oauth2[0].profileVerb=GET
cas.authn.pac4j.oauth2[0].scope=profile,email,roles
cas.authn.pac4j.oauth2[0].clientName=OauthClient
Thanks in advance.

Related

How do I authenticate against ldap.google.com?

I was able to connect ldaps://ldap.google.com using the downloaded cert.
I'm trying to do the user authentication against it, always failed
My settings, we are using GSuite Business plus planning.
The connection url: ldaps://ldap.google.com
edit mode: read only
users DN: dc=xxxx,dc=xx (no filter applied)
search scope: subtree
Bind type:
When I set it to ‘none’ I get error: “error during sync of users” in server log:
error code 50: insufficient access rights
Uncaught server error: LDAP query failed.
When I enter a user:
User + #domain = LDAP: error 50 - Not authorized to authenticate password
User without #domain = error 49 - Incorrect password
User in DN = uid or cn=xxxx, ou=xxxx - error 50 - Not authorized to authenticate password
Anything I'm missing? or google ldap don't allow it?

EMM Login Error Cannot read property "prodConsumerKey"

I've downloaded EMM 1.1.0 and configured a vm with all the pre-requites to run it.
Since I"m working from the local machines and the VM is a ubuntu server setup I have renamed all of the localhost in the config file to reflect the proper domain name so it can reach.
When I point my browser to https://mydomain.com:9443 I am able to login to carbon and change usernames
However when I goto https://mydomain.com:9443/emm/ it asks me to login again... when I do I get the following errors:
500: Something has gone wrong (very helpful!)
On the console/log file I capture the following:
[2014-06-24 10:06:34,041] INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - 'admin#carbon.super [-1234]' logged in at [2014-06-24 10:06:34,041+0800]
[2014-06-24 10:06:34,321] INFO {JAGGERY.modules.common:js} - New connection was taken
[2014-06-24 10:06:34,618] WARN {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - Failed Administrator login attempt 'admin[-1234]' at [2014-06-24 10:06:34,618+0800]
[2014-06-24 10:06:34,630] ERROR {org.wso2.carbon.apimgt.hostobjects.APIProviderHostObject} - Login failed! Please recheck the username and password and try again..
[2014-06-24 10:06:35,154] WARN {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - Failed Administrator login attempt 'admin[-1234]' at [2014-06-24 10:06:35,154+0800]
[2014-06-24 10:06:35,156] ERROR {org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject} - Login failed! Please recheck the username and password and try again.
[2014-06-24 10:06:35,326] ERROR {org.jaggeryjs.jaggery.core.manager.WebAppManager} - org.mozilla.javascript.EcmaError: TypeError: Cannot read property "prodConsumerKey" from undefined (/emm/modules/startup.js#59)
org.jaggeryjs.scriptengine.exceptions.ScriptException: org.mozilla.javascript.EcmaError: TypeError: Cannot read property "prodConsumerKey" from undefined (/emm/modules/startup.js#59)
at org.jaggeryjs.scriptengine.engine.RhinoEngine.execScript(RhinoEngine.java:571)
at org.jaggeryjs.scriptengine.engine.RhinoEngine.exec(RhinoEngine.java:273)
at org.jaggeryjs.jaggery.core.manager.WebAppManager.execute(WebAppManager.java:447)
at org.jaggeryjs.jaggery.core.JaggeryServlet.doPost(JaggeryServlet.java:29)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:755)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:749)
... many many more
Can someone please point me in the right direction?
If the admin password is changed, you have to modify the api-manager config file.
A good practice should be create new user for the api-manager
This miss-configuration also causes blank page after EMM authentication in multi-tenancy.
/repository/conf/api-manager.xml
<!--
Authentication manager configuration for API publisher and API store. This is
a required configuration for both web applications as their user authentication
logic relies on this.
-->
<AuthManager>
<!--
Server URL of the Authentication service
-->
<ServerURL>https://${carbon.local.ip}:${mgt.transport.https.port}/services/</ServerURL>
<!--
Admin username for the Authentication manager.
-->
<Username>apiuser</Username>
<!--
Admin password for the Authentication manager.
-->
<Password>StrongPassword</Password>
</AuthManager>
If you have changed username and password of the admin you will have to change that in config.json file found in wso2emm-1.1.0\repository\deployment\server\jaggeryapps\emm\config. Just update the username and password in apiManagerConfigurations section and restart the EMM server.
There is a public JIRA regarding this[1].
The workaround is
You have to set admin username and password to admin and admin when first login to EMM.
If you have changed the password of admin please set the password to admin.
You can use chpasswd.sh/chpasswd.bin file in the bin folder to change the password.
Eg:
./chpasswd.sh --db-url "jdbc:h2:/repository/database/WSO2CARBON_DB" --db-username wso2carbon -db-password wso2carbon --username admin --new-password admin
Once you login to EMM first time, please use above command to change the password again
[1]. https://wso2.org/jira/browse/EMM-704
I used mysql as my DB: Documentation tell you to place the connector file in ${CARBON_HOME}/repository/components/lib.
Running
${CARBON_HOME}/bin/./chpasswd.sh --db-url jdbc:mysql://ip:3306/wso2emm_db --db-username user_db --db-password pass --username admin --new-password admin
I got this error:
java.sql.SQLException: No suitable driver found for jdbc:mysql://
Copying the connector file to ${CARBON_HOME}/repository/lib solved my issue.

Authentication failing with Worklight-Liberty profile configured to LDAP (SSO)

When I try to login from WL hybird application in the emulator I get the below exceptions.
Environment:
1) Worklight Server (505 version) installed using the default Liberty profile and Derby database.
2) Userregistry is configured to LDAP. LDAP is up and running.
3) I have followed "Module 20.1 Form-based Authentication"
Server.xml is correctly configured :
ldapRegistry id="IBMDirectoryServerLDAP" realm="defaultWIMFileBasedRealm"
host="testserver.com" port="4389" ignoreCase="true"
baseDN="dc=ibm,dc=com"
bindDN="cn=xyz"
bindPassword="xyz123"
ldapType="IBM Tivoli Directory Server" reuseConnection="true"
idsFilters
userFilter="(&(uid=%v)(objectclass=ePerson))"
groupFilter="(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))"
userIdMap="*:uid"
groupIdMap="*:cn"
groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember;groupOfNames:member;groupOfUniqueNames:uniqueMember"
ldapRegistry
Login module is : com.worklight.core.auth.ext.WebSphereLoginModule
Authenticator is : com.worklight.core.auth.ext.WebSphereFormBasedAuthenticator
Exception:
[RandomNumberGenerationServlet]: Initialization successful.
[2/13/13 15:37:21:349 IST] 00000049 com.worklight.core.auth.ext.WebSphereFormBasedAuthenticator I FWLSE0055I: Not recognized.
[2/13/13 15:38:27:288 IST] 0000004b ication.internal.jaas.modules.UsernameAndPasswordLoginModule A CWWKS1100A: Authentication did not succeed for user ID wpsbind. An invalid user ID or password was specified.
[2/13/13 15:38:27:742 IST] 0000004f com.worklight.core.auth.ext.WebSphereFormBasedAuthenticator I FWLSE0055I: Not recognized.
[2/13/13 15:38:27:746 IST] 0000004f com.worklight.core.auth.ext.WebSphereFormBasedAuthenticator I FWLSE0055I: Not recognized.
[2/13/13 15:38:27:747 IST] 0000004f com.worklight.core.auth.impl.AuthenticationFilter E FWLSE0048E: Unhandled exception caught: realm WASLTPARealm is not allowed to ignore request to a protected resouce in a non-success state
java.lang.IllegalStateException: realm WASLTPARealm is not allowed to ignore request to a protected resouce in a non-success state
at com.worklight.core.auth.impl.AuthenticationContext.checkAuthentication(AuthenticationContext.java:515)
at com.worklight.core.auth.impl.AuthenticationContext.processRealms(AuthenticationContext.java:396)
at com.worklight.core.auth.impl.AuthenticationContext.pushCurrentResource(AuthenticationContext.java:373)
at com.worklight.core.auth.impl.AuthenticationServiceBean.accessResource(AuthenticationServiceBean.java:63)
at com.worklight.core.auth.impl.AuthenticationFilter.doFilter(AuthenticationFilter.java:162)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:188)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:85)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:940)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1037)
at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:81)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:930)
at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.run(DynamicVirtualHost.java:274)
at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink$TaskWrapper.run(HttpDispatcherLink.java:529)
at com.ibm.ws.threading.internal.Worker.executeWork(Worker.java:398)
at com.ibm.ws.threading.internal.Worker.run(Worker.java:380)
The authentication takes place in Liberty, and in order for Worklight to recognize the logged-in user, it needs to know of it.
Form-based authentication will not help here. What you can and should do is implement a Custom-based Authenticator that will retrieve from the response from Liberty the custom HTTP header containing the user information.
You can read more about Custom-based Authentication in the following Getting Started training module, to first familiarize yourself with the concept:
ftp://public.dhe.ibm.com/software/mobile-solutions/worklight/docs/v505/Module_23_-_Custom_Authenticator_and_Login_Module.pdf
For a clearer "image" of the authentication flow, you can see the diagram as depicted here: http://pic.dhe.ibm.com/infocenter/wrklight/v5r0m5/topic/com.ibm.worklight.help.doc/integ/r_authentication_at_the_gateway.html

Spring security ldap authenticate

I have set up an ldap authentication using the following configuration. I just need to user to authenticate to the LDAP data store, then have their session get an authentication token. From reading the docs, this is what I am thinking is supposed to happen:
applicationContextSecurity.xml
<ldap-server id="contextSource"
url="ldap://192.168.0.1:389/DC=cn,DC=bleum,DC=com"
manager-dn="cn=buddy,ou=Neil,OU=Development,OU=Micosoft,DC=cn,DC=Micosoft,DC=com"
manager-password="A,1234567890" />
<authentication-manager alias="authenticationManager" erase-credentials="true">
<!--<authentication-provider user-service-ref="securityManagerSupport"/> -->
<ldap-authentication-provider server-ref="contextSource" role-prefix="none" user-search-filter="(uid={0})"
user-search-base="ou=Neil,OU=Development,OU=Micosoft" user-context-mapper-ref="contextMapper">
</ldap-authentication-provider>
</authentication-manager>
<beans:bean id="contextMapper" class="com.micosoft.neil.security.UserDetailsContextMapperSupport"/>
Error:
[DEBUG,FilterBasedLdapUserSearch] Searching for user 'test', with user search [ searchFilter: '(samaccountname={0})', searchBase: 'dc=company,dc=com', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
[DEBUG,AbstractContextSource] Got Ldap context on server 'ldap://adapps.company.com:389/dc=company,dc=com'
[INFO,SpringSecurityLdapTemplate] Ignoring PartialResultException
[DEBUG,XmlWebApplicationContext] Publishing event in Root WebApplicationContext: org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent[source=org.springframework.security.authentication.UsernamePasswordAuthenticationToken#488b5f0b: Principal: test; Password: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffd148a: RemoteIpAddress: 127.0.0.1; SessionId: 0718B7EED3F930C63C03DA97C4344CBD; Not granted any authorities]
[DEBUG,UsernamePasswordAuthenticationFilter] Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
[DEBUG,UsernamePasswordAuthenticationFilter] Updated SecurityContextHolder to contain null Authentication
[DEBUG,UsernamePasswordAuthenticationFilter] Delegating to authentication failure handlerorg.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler#395158
[DEBUG,TokenBasedRememberMeServices] Interactive login attempt was unsuccessful.
[DEBUG,TokenBasedRememberMeServices] Cancelling cookie
From the result, it looks like the password was incorrect, so if you were trying to enter an incorrect user / password, then yes, that is what is expected.
Really not sure what your question is though? Were you expecting something different? Did you pass the correct credentials?
I have the same error with pretty much the same configuration. I can't give you an answer yet (sorry!), but running a debugger through the Spring classes, it seems they're trying to compare the password the user entered as a string (and the debugger confirms it is the correct password) to a password retrieved from LDAP - which is null - which then fails.

Spring security ldap authenticate first

I have set up an ldap authentication using the following configuration. I just need to user to authenticate to the LDAP data store, then have their session get an authentication token. From reading the docs, this is what I am thinking is supposed to happen:
Authenticate as the manager, find the users full dn based on search criteria
Attempt to bind as the user (using their full dn) and the provided password
The logs dont seem to give enough information as to why this is failing. It just says invalid credentials - when I know they are valid. My thoughts are one of the following is happening:
The users full DN is not being found, and they are just being authenticated with the username
It is trying to do a password compare, vs actually trying to bind to the directory
Configuration:
<ldap-server
url="ldap://adapps.company.com:389/dc=company,dc=com"
manager-dn="cn=fulluserdn,dc=company,dc=com"
manager-password="password"/>
<ldap-user-service user-search-base="" user-search-filter="(samaccountname={0})"/>
<authentication-manager>
<ldap-authentication-provider user-search-filter="(samaccountname={0})" user-search-base="dc=company,dc=com"/>
</authentication-manager>
Error logs:
[DEBUG,FilterBasedLdapUserSearch] Searching for user 'test', with user search [ searchFilter: '(samaccountname={0})', searchBase: 'dc=company,dc=com', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
[DEBUG,AbstractContextSource] Got Ldap context on server 'ldap://adapps.company.com:389/dc=company,dc=com'
[INFO,SpringSecurityLdapTemplate] Ignoring PartialResultException
[DEBUG,XmlWebApplicationContext] Publishing event in Root WebApplicationContext: org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent[source=org.springframework.security.authentication.UsernamePasswordAuthenticationToken#488b5f0b: Principal: test; Password: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffd148a: RemoteIpAddress: 127.0.0.1; SessionId: 0718B7EED3F930C63C03DA97C4344CBD; Not granted any authorities]
[DEBUG,UsernamePasswordAuthenticationFilter] Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
[DEBUG,UsernamePasswordAuthenticationFilter] Updated SecurityContextHolder to contain null Authentication
[DEBUG,UsernamePasswordAuthenticationFilter] Delegating to authentication failure handlerorg.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler#395158
[DEBUG,TokenBasedRememberMeServices] Interactive login attempt was unsuccessful.
[DEBUG,TokenBasedRememberMeServices] Cancelling cookie
The problem was teat the LDAP server was running on a different port, but the normal port was still open.