-
-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix incorrect CasProfile caching between different OAuth 2.0 services #3782
Conversation
Yes, good point. As soon as the profile is in the session, it will be reused keeping its existing attributes. Your solution looks to be a good one: attach the user profile to the client_id and reuse it only for the same client_id. It must be tested in depth though. |
|
||
@Override | ||
public void save(final boolean saveInSession, final U profile, final boolean multiProfile) { | ||
profile.addAttribute(SESSION_CLIENT_ID, context.getRequestParameter(REQUEST_CLIENT_ID)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would make more sense to use the authentication attributes here instead of the user attributes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're right. I've changed it.
protected LinkedHashMap<String, U> retrieveAll(final boolean readFromSession) { | ||
return super.retrieveAll(readFromSession).entrySet().stream().filter( | ||
it -> it.getValue() | ||
.getAttribute(SESSION_CLIENT_ID) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would make more sense to use the authentication attributes here instead of the user attributes.
...rt-oauth/src/main/java/org/apereo/cas/support/oauth/profile/ClientIdAwareProfileManager.java
Show resolved
Hide resolved
I am not sure I understand how it is supposed to work. Now during the redirect chain we go twice through |
@gagarski About the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We're good for the merge, except that you must sync with the 5.3.x branch and open the same PR for the 6.0.x and master branches
We cannot merge this just yet.
|
PS Or perhaps, some sample configurations for both services that demonstrate different attribute release policies would be good, to run some independent checks. |
OK, I've made some simple zero-configuration example based on latest I have two services here (see
The values for these attrs are set by stub attr repo (see Here are the steps to reproduce:
You may restart CAS and conduct another experiment but with permuting steps. Do 1, 4, 5, 2, 3. In 6 and 7 you will see |
Thanks. Would you mind attaching that project with the config files here? |
@mmoayyed OOps, sorry, I forgot to attach the link: https://github.com/gagarski/cas-overlay-template
|
Thanks again. I spoke to @dima767 about this as well, and he should be able to duplicate and confirm the issue before we move forward. Stay tuned please. |
@dima767 do you think you might be able to confirm the issue/solution by this Friday? Or do you need more time to push back the release date for 5.3.8? |
@mmoayyed Should be able to. Working on it this morning. Give me few hours, plz |
Great. Can you verify the patch fixes this issue in 5.3.8? |
Will do |
Currently having a hard time running the overlay build against I'm getting |
I've created an example for 5.3.8-SNAPSHOT, same repo, |
I thought about adding JUnit test that at least follows the chain of redirects and obtains OC so we can compare expected attrs with actual. However it seems like we have to recreate quite big part of CAS inside the test. I didn't find any inspiration examples among existing tests. |
Or perhaps some kind of a functional automated test against the running CAS server, etc. But manual verification would suffice for now |
after merging the PR into
Building against published SNAPSHOT ( |
Looks strange. I'll take a look at it tomorrow. |
@gagarski It's basically |
Nope, still getting the SOE (could be my env. - I have total of 8 GB of OS RAM, but that's still not good). Here's the sequence of git and gradle steps to install the version into
then built the overlay against it ( If someone else could try it, or we just merge it. |
No, this is a bad idea. I've managed to reproduce it on my pC but now I have no idea what's going on. I am investigating. |
Now I have overlay working with snapshot from Sonatype repo but not working (with SOE) even with my local |
My current suggestions is that Gradle ignores my local hacks (and probably yours too) to temporary switch from JDK 11 to JDK 8. Checking this suggestion now. |
Note - 5.3.x must run on Java 8, not 11 |
That's the command that created working local builds in Probably the thing that do the trick is |
I was looking for other usages of One usage bothers be a bit: But it still looks OK for me: we only remove a profile here. However it is possible to use client id aware profile manager here and make remove also |
Good enough for me. Thanks again.
Also sounds fine. Let's do that in a separate PR, if you are interested? |
If it is OK as it is, let's leave it. If it does not work properly then we probably should do it here. @leleuj any thoughts about this? |
@mmoayyed It seems like you already ported in onto 6.0 and 6.1. Thanks! |
This PR fixes incorrect CasProfile caching when doing two subsequent authentications into different services.
Let's consider two services:
Let's consider that user is also logged into CAS (for simplicity), i. e. he has TGT.
Now let's consider this user initiating authorization code flow by going to
/oauth2.0/authorize
endpoint with serviceA
credentials. User's browser goes through the following redirects:So far so good. But the bad thing is that now a pac4j profile is attached to a user session and this profile contains only a1 and a2 attributes. I believe the profile is added by this interceptor. This profile is bound to CasOAuthClient client (and it is not aware of a specific OAuth 2.0 service).
Now the bad things happen.
Let's consider the same user initialing authorization code flow by going to /oauth2.0/authorize endpoint with service B credentials. Now he already have a pac4j session, so authorize endpoint immediately produces OC ticket with only
a1
anda2
attributes (a3
is missing). ThereforeAT
s created from thisOC
also missa3
. If B relies ona3
attribute for authentication then he can't perform it.If you do these steps vice-versa, this also happens but now A can release more attributes than it is allowed.
This PR tries to fix it.