how to include authenticated user's roles in JWT? - cas

i have configured CAS as OAuth2 server. After successfull login, it returns JWT, but roles field in JWT is always empty like;
{
"sub": "dg",
...
"roles": [],
"nonce": "",
"client_id": "first-client",
"credentialType": "UsernamePasswordCredential",
...
}
how can fetch and put authenticated user's role in JWT when i login?
here is my sample service registry;
{
"#class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
"serviceId" : "http://localhost:8085/.*",
"name" : "CAS Spring Secured App",
"description": "This is a Spring App that usses the CAS Server for its authentication",
"id" : 1,
"evaluationOrder" : 1,
"bypassApprovalPrompt": true,
"jwtAccessToken": true,
"clientId": "first-client",
"clientSecret": "noonewilleverguess",
"supportedGrantTypes": [ "java.util.HashSet", [ "authorization_code" ] ],
"supportedResponseTypes": [ "java.util.HashSet", [ "code" ] ]
}
thanks for helps.

I found solution. From CAS blog (https://apereo.github.io/2017/02/22/cas51-dbauthn-tutorial/),
Today, CAS is unable to retrieve attributes as part of authentication directly so we need to set up a separate attribute repository instance that CAS will contact once the user is fully authenticated.
So, we need to use attribute repository (which has many types like ldap, jdbc, stub ... https://apereo.github.io/cas/development/configuration/Configuration-Properties.html#stub)
I have configured jdbc for attribute repository. (postgresql as database)
First of all, you need to add two dependencies to build.gradle
compile "org.apereo.cas:cas-server-support-jdbc:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-jdbc-drivers:${casServerVersion}"
then, create database where you fetch attributes. for example, named my_roles
id (serial) | user_name (varchar(50)) | role_name (text[])
----------------------------------------------------------
1 | dg | {'ROLE_READ', 'ROLE_WRITE'}
then, configure attribute repository like this
cas.authn.attribute-repository.jdbc[0].sql=SELECT * FROM my_roles WHERE {0}
cas.authn.attribute-repository.jdbc[0].username=user_name
cas.authn.attribute-repository.jdbc[0].user=postgres
cas.authn.attribute-repository.jdbc[0].password=postgres
cas.authn.attribute-repository.jdbc[0].url=jdbc:postgresql://localhost:5432/customer
cas.authn.attribute-repository.jdbc[0].driverClass=org.postgresql.Driver
cas.authn.attribute-repository.jdbc[0].dialect=org.hibernate.dialect.PostgreSQL95Dialect
lastly, dont forget to add release policy to your service registry.
{
...
"attributeReleasePolicy" : {
"#class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "role_name" ] ]
}
}
so, here is the result;
{
"sub": "dg",
...
"role_name":
[
"ROLE_WRITE",
"ROLE_READ"
],
"aud": "http://localhost:8085/login/oauth2/code/login-client",
"grant_type": "AUTHORIZATION_CODE",
...
}

Related

Cipher "clientSecret" params in OAuth2 JWT Token CAS Apereo version 6.1.7

I follow this instruction to cipher "clientSecret" params in OAuth2 JWT Token with CAS Apereo 6.1
https://apereo.github.io/2019/11/04/cas62x-oauth-jwt-access-token/
Step 1: Using CAS Shell to cipher clientSecret
root#ubuntu16:~/lam/cas-overlay-template# ./gradlew downloadShell runShell
root#ubuntu16:~/lam/cas-overlay-template# java -jar build/libs/cas-server-support-shell-6.1.7.jar
cas>encrypt-value value exampleOauthClientSecret alg PBEWithMD5AndTripleDES provider SunJCE password Vnpt#123 iterations 1000
==== Encrypted Value ====
{cas-cipher}La813rUHz0m2XM/DwqjvGtHPX+l8XtMzI80UGXH24uDMGXCqsAYFfg==
cas>decrypt-value value {cas-cipher}La813rUHz0m2XM/DwqjvGtHPX+l8XtMzI80UGXH24uDMGXCqsAYFfg== alg PBEWithMD5AndTripleDES provider SunJCE password Vnpt#123 iterations 1000
==== Decrypted Value ====
exampleOauthClientSecret
Step 2: I make service registration like this
root#ubuntu16:/etc/cas/services-repo# cat OAuthJWTService-3.json
{
"#class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
"clientId": "exampleOauthClient",
#"clientSecret": "exampleOauthClientSecret",
"clientSecret": "{cas-cipher}La813rUHz0m2XM/DwqjvGtHPX+l8XtMzI80UGXH24uDMGXCqsAYFfg==",
"serviceId" : "^https://cascore.vdc2.com.vn:9999/.*",
"name" : "OAuthJWTService",
"id" : 3,
"jwtAccessToken": true,
"attributeReleasePolicy" : {
"#class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", ["comdepartment","comid","lastname","usercode","userdate","useremail","userparentid","userstatus","usertel","usertype" ] ]
},
"properties" : {
"#class" : "java.util.HashMap",
"accessTokenAsJwtSigningKey" : {
"#class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "CoSfJ2WweU-cWcUYSjW2PWLVLd9hIVG0xxjFFUHSUbCjkkNiwPli_WlqF9V2MHJH3SGH_4DifSYxlgs98h4snA" ] ]
},
"accessTokenAsJwtEncryptionKey" : {
"#class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "_3gpqpSiIEjHT0xlscGvgDr0-iPIeeEeyecfFgbg_5E" ] ]
},
"accessTokenAsJwtSigningEnabled" : {
"#class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "true" ] ]
},
"accessTokenAsJwtEncryptionEnabled" : {
"#class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "true" ] ]
},
"accessTokenAsJwtCipherStrategyType" : {
"#class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "SIGN_AND_ENCRYPT" ] ]
}
}
}
Step 3: I config CAS Apereo global like this (my global config store in MongoDB)
{"_id":{"$oid":"5f058f62ee9a446824d4adf3"},"name":"org.apereo.cas.standalone.configurationSecurity.alg","value":"PBEWithMD5AndTripleDES"}
{"_id":{"$oid":"5f058f79ee9a446824d4adf4"},"name":"org.apereo.cas.standalone.configurationSecurity.provider","value":"SunJCE"}
{"_id":{"$oid":"5f058f8aee9a446824d4adf5"},"name":"org.apereo.cas.standalone.configurationSecurity.iterations","value":"1000"}
{"_id":{"$oid":"5f058f9dee9a446824d4adf6"},"name":"org.apereo.cas.standalone.configurationSecurity.psw","value":"Vnpt#123"}
Step 4: I rebuild CAS
Step 5: I call API to create JWT token like this
curl https://cascore.vdc2.com.vn:8443/cas/oauth2.0/token?grant_type=password'&'client_id=exampleOauthClient'&'client_secret=exampleOauthClientSecret'&'username=abc'&'password=Vnpt#123 | jq
But It shows this problem
{
"#class": "java.util.LinkedHashMap",
"timestamp": [
"java.util.Date",
1594370510760
],
"status": 401,
"error": "Unauthorized",
"message": "No message available",
"path": "/cas/oauth2.0/token"
}
I try agin with this
curl https://cascore.vdc2.com.vn:8443/cas/oauth2.0/token?grant_type=password'&'client_id=exampleOauthClient'&'client_secret={cas-cipher}La813rUHz0m2XM/DwqjvGtHPX+l8XtMzI80UGXH24uDMGXCqsAYFfg=='&'username=abc'&'password=Vnpt#123 | jq
But it shows this error again
{
"#class": "java.util.LinkedHashMap",
"timestamp": [
"java.util.Date",
1594370510760
],
"status": 401,
"error": "Unauthorized",
"message": "No message available",
"path": "/cas/oauth2.0/token"
}
Finally, I try change param to plain text in registration file from "clientSecret": "{cas-cipher}La813rUHz0m2XM/DwqjvGtHPX+l8XtMzI80UGXH24uDMGXCqsAYFfg==", to "clientSecret": "exampleOauthClientSecret",
It works and gives me JWT token.
Please help me.
Thanks
I follow this instruction to cipher "clientSecret" params in OAuth2 JWT Token with CAS Apereo 6.1
If you read the blog post at the link you shared carefully, you'll note that:
Our starting position is based on:
CAS 6.2.x
So that's probably why the instructions do not work for you.

ambari rest API + set json configuration in ambari

To create a new config group, it is mandatory to provide a config group name, a tag and the cluster name to which it belongs. The tag as seen in this example is a name of the service. Two config groups with the same tag cannot be associated with the same host.
how to run the following json file with curl ?
in order to set this config group in ambari
POST /api/v1/clusters/c1/config_groups
[
{
"ConfigGroup": {
"cluster_name": "c1",
"group_name": "hdfs-nextgenslaves",
"tag": "HDFS",
"description": "HDFS configs for rack added on May 19, 2010",
"hosts": [
{
"host_name": "host1"
}
],
"desired_configs": [
{
"type": "core-site",
"tag": "nextgen1",
"properties": {
"key": "value"
}
}
]
}
}
]
 reference - https://github.com/swagle/test/blob/master/docs/api/v1/config-groups.md
Is your question about how to send multiline json with curl? You can find different methods here.

Openshift Open ID Identity Provider with lookup mapping method

I'm using an OpenIDIdentityProvider with mappingMethod: claim to authenticate admin users in the Openshift admin console. I'm using the auth0 service to authenticate users. The admin users are defined in an ansible playbook on deployment, effectively making the admin users hard-coded.
Is it possible to completely manage all admin and developer users using the OpenIDIdentityProvider, a lookup mapping method and adding something like extraScopes: [roles] to pull through the additional authorization roles into the authentication request? That would enable me to completely manage users and roles separately from the ansible playbook. Next level bonus points for managing permissions on the authentication provider side.
The Openshift documentation is very light on details for authentication / authorization outside of the default mappingMethod: claim.
Below is my identity provider json file for the claim-based mapping method:
{
"items": [
{
"name": "auth0",
"challenge": false,
"login": true,
"mappingMethod": "claim",
"kind": "OpenIDIdentityProvider",
"clientID": "supersecretsauce",
"clientSecret": "extrasupersecretsauce",
"extraScopes": ["email", "profile"],
"claims": {
"id": [
"email"
],
"preferredUsername": [
"email"
],
"name": [
"name"
],
"email": [
"email"
]
},
"urls": {
"authorize": "https://fancypants.auth0.com/authorize",
"token": "https://fancypants.auth0.com/oauth/token",
"userInfo": "https://fancypants.auth0.com/userinfo"
}
}
]
}
To my simple mind the below would suffice for a working lookup-based mapping method with roles returned by the authentication provider:
{
"items": [
{
"name": "auth0",
"challenge": false,
"login": true,
"mappingMethod": "lookup",
"kind": "OpenIDIdentityProvider",
"clientID": "supersecretsauce",
"clientSecret": "extrasupersecretsauce",
"extraScopes": ["email", "profile", "roles"],
"claims": {
"id": [
"email"
],
"preferredUsername": [
"email"
],
"name": [
"name"
],
"email": [
"email"
],
"role": [
"roles"
]
},
"urls": {
"authorize": "https://fancypants.auth0.com/authorize",
"token": "https://fancypants.auth0.com/oauth/token",
"userInfo": "https://fancypants.auth0.com/userinfo"
}
}
]
}
An example of a functional role value would be cluster-admin.
OpenID can only be used for authentication. You are attempting to use it for both authentication and authorization. This is not possible as roles and bindings are managed by Openshift - they cannot be delegated to an external service.

Fiware: No observation attributes in Orion CB when registered/sent via IDAS UltraLight

This question is very similar to Missing attributes on Orion CB Entity when registering device through IDAS but found no definitive answer there.
I have been trying FiWare to get UL2.0 via IDAS to the Orion CB working in the Fiware-Lab env:
using latest GitHub
https://github.com/telefonicaid/fiware-figway/tree/master/python-IDAS4
scripts
following the tutorials in particular
http://www.slideshare.net/FI-WARE/fiware-iotidasintroul20v2
I have a FI-WARE Lab account with token generated. Adapted the config.ini file:
[user]
# Please, configure here your username at FIWARE Cloud and a valid Oauth2.0 TOKEN for your user (you can use get_token.py to obtain a valid TOKEN).
username=MY_USERNAME
token=MY_TOKEN
[contextbroker]
host=130.206.80.40
port=1026
OAuth=no
# Here you need to specify the ContextBroker database you are querying.
# Leave it blank if you want the general database or the IDAS service if you are looking for IoT devices connected by you.
# fiware_service=
fiware_service=bus_auto
fiware-service-path=/
[idas]
host=130.206.80.40
adminport=5371
ul20port=5371
OAuth=no
# Here you need to configure the IDAS service your devices will be sending data to.
# By default the OpenIoT service is provided.
# fiware-service=fiwareiot
fiware-service=bus_auto
fiware-service-path=/
#apikey=4jggokgpepnvsb2uv4s40d59ov
apikey=4jggokgpepnvsb2uv4s40d59ov
[local]
#Choose here your System type. Examples: RaspberryPI, MACOSX, Linux, ...
host_type=MACOSX
# Here please add a unique identifier for you. Suggestion: the 3 lower hexa bytes of your Ethernet MAC. E.g. 79:ed:af
# Also you may use your e-mail address.
host_id=a0:11:00
I used the SENSOR_TEMP template, adding the 'protocol' field (PDI-IoTA-UltraLight which as the first problem I stumbled upon):
{
"devices": [
{ "device_id": "DEV_ID",
"entity_name": "ENTITY_ID",
"entity_type": "thing",
"protocol": "PDI-IoTA-UltraLight",
"timezone": "Europe/Amsterdam",
"attributes": [
{ "object_id": "otemp",
"name": "temperature",
"type": "int"
} ],
"static_attributes": [
{ "name": "att_name",
"type": "string",
"value": "value"
}
]
}
]
}
Now I can Register the device ok. Like
python RegisterDevice.py SENSOR_TEMP NexusPro Temp-Otterlo
and see it in Device List:
python ListDevices.py
I can send Observations like
python SendObservation.py Temp-Otterlo 'otemp|17'
But in the ContextBroker I see the Entity but never the measurements, e.g.
python GetEntity.py Temp-Otterlo
Gives
* Asking to http://130.206.80.40:1026/ngsi10/queryContext
* Headers: {'Fiware-Service': 'bus_auto', 'content-type': 'application/json', 'accept': 'application/json', 'X-Auth-Token': 'NULL'}
* Sending PAYLOAD:
{
"entities": [
{
"type": "",
"id": "Temp-Otterlo",
"isPattern": "false"
}
],
"attributes": []
}
...
* Status Code: 200
* Response:
{
"contextResponses" : [
{
"contextElement" : {
"type" : "thing",
"isPattern" : "false",
"id" : "Temp-Otterlo",
"attributes" : [
{
"name" : "TimeInstant",
"type" : "ISO8601",
"value" : "2015-10-03T14:04:44.663133Z"
},
{
"name" : "att_name",
"type" : "string",
"value" : "value",
"metadatas" : [
{
"name" : "TimeInstant",
"type" : "ISO8601",
"value" : "2015-10-03T14:04:44.663500Z"
}
]
}
]
},
"statusCode" : {
"code" : "200",
"reasonPhrase" : "OK"
}
}
]
}
I get an TimeInstant attribute strangely. I tried playing with settings of the .ini like fiware-service=fiwareiot, but to no avail. I am out of ideas. The documentation at the catalogue. for IDAS4
is talking about observations to be sent to port 8002 and setting "OpenIoT" service, but that failed as well.
Any help appreciated.
You should run "python SendObservation.py NexusPro 'otemp|17'" instead of "python SendObservation.py Temp-Otterlo 'otemp|17'".
The reason is that you are providing an observation at the southbound and then, the DEV_ID should be used.
The entity does not include an attribute until an observation is received so then it is normal you are not able to see it. Once you try the one above it should all work.
Cheers,

XACML JSON Mandatory categories in request

I have a doubt with respect to the 4 categories of the JSON Profile of XACML 3.0.
When I send a request in JSON from the PEP to the PDP, does the PEP always need to send AccessSubject, Resource, Action and Enviroment to the PDP or can the PEP send any category in the JSON request?
This is the diagram JSON request.
A JSON request may contain any number of categories including custom categories. This applies to a XACML request whether it be encoded in JSON or XML (I am the editor of this profile and work for the company, Axiomatics, which implements it).
The JSON profile also defines 8 default categories which can be used. These category names are:
urn:oasis:names:tc:xacml:3.0:attribute-category:resource : Resource
urn:oasis:names:tc:xacml:3.0:attribute-category:action : Action
urn:oasis:names:tc:xacml:3.0:attribute-category:environment : Environment
urn:oasis:names:tc:xacml:1.0:subject-category:access-subject : AccessSubject
urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject : RecipientSubject
urn:oasis:names:tc:xacml:1.0:subject-category:intermediary-subject : IntermediarySubject
urn:oasis:names:tc:xacml:1.0:subject-category:codebase : Codebase
urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine : RequestingMachine
Here is an example which only uses 3 categories and uses their shorthand notation:
{
"Request": {
"AccessSubject": {
"Attribute": [
{"AttributeId": "com.acme.user.employeeId",
"Value": "Alice"}
]},
"Resource": {
"Attribute": [
{"AttributeId": "com.acme.record.recordId",
"Value": "123"},
{"AttributeId": "com.acme.object.objectType",
"Value": "record"}
]},
"Action": {
"Attribute": [
{"AttributeId": "com.acme.action.actionId",
"Value": "view"}
]}
}
}