From e2f8908d1149067b6996ae930cbb1453656d492c Mon Sep 17 00:00:00 2001
From: longze chen <cs.longze.chen@gmail.com>
Date: Mon, 4 Nov 2019 14:12:34 -0500
Subject: [PATCH 1/6] Implement a new Hibernate user type to support Postgres
 jsonb

---
 .../hibernate/OSFPostgreSQLDialect.java       |  36 +++++
 .../postgres/types/PostgresJsonbUserType.java | 135 ++++++++++++++++++
 etc/cas.properties                            |   2 +-
 3 files changed, 172 insertions(+), 1 deletion(-)
 create mode 100644 cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/hibernate/OSFPostgreSQLDialect.java
 create mode 100644 cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/types/PostgresJsonbUserType.java

diff --git a/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/hibernate/OSFPostgreSQLDialect.java b/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/hibernate/OSFPostgreSQLDialect.java
new file mode 100644
index 00000000..aea870cc
--- /dev/null
+++ b/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/hibernate/OSFPostgreSQLDialect.java
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Center For Open Science (COS) under one or more
+ * contributor license agreements. See the NOTICE file distributed
+ * with this work for additional information regarding copyright
+ * ownership. COS licenses this file to you under the Apache
+ * License, Version 2.0 (the "License"); you may not use this file
+ * except in compliance with the License.  You may obtain a copy of
+ * the License at the following location:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an "AS
+ * IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied.  See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+package io.cos.cas.adaptors.postgres.hibernate;
+
+import org.hibernate.dialect.PostgreSQL9Dialect;
+
+import java.sql.Types;
+
+/**
+ * Customized Postgres dialect that supports {@literal jsonb}.
+ *
+ * @author Longze Chen
+ * @since 19.4.0
+ */
+public class OSFPostgreSQLDialect extends PostgreSQL9Dialect {
+
+    /** The default constructor. */
+    public OSFPostgreSQLDialect() {
+        this.registerColumnType(Types.JAVA_OBJECT, "jsonb");
+    }
+}
diff --git a/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/types/PostgresJsonbUserType.java b/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/types/PostgresJsonbUserType.java
new file mode 100644
index 00000000..0143b5c5
--- /dev/null
+++ b/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/types/PostgresJsonbUserType.java
@@ -0,0 +1,135 @@
+/*
+ * Licensed to the Center For Open Science (COS) under one or more
+ * contributor license agreements. See the NOTICE file distributed
+ * with this work for additional information regarding copyright
+ * ownership. COS licenses this file to you under the Apache
+ * License, Version 2.0 (the "License"); you may not use this file
+ * except in compliance with the License.  You may obtain a copy of
+ * the License at the following location:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an "AS
+ * IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied.  See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+
+package io.cos.cas.adaptors.postgres.types;
+
+import com.google.gson.JsonObject;
+import com.google.gson.JsonParser;
+import com.google.gson.JsonSyntaxException;
+
+import org.hibernate.cfg.NotYetImplementedException;
+import org.hibernate.engine.spi.SessionImplementor;
+import org.hibernate.HibernateException;
+import org.hibernate.usertype.UserType;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.Serializable;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Types;
+
+/**
+ * Customized Hibernate data type for Postgres {@literal jsonb}.
+ *
+ * {@link com.google.gson.JsonObject} is used as the object type / class for Postgres {@literal jsonb}.
+ *
+ * CAS only has read-access to the OSF DB. Thus, 1) the type is immutable; 2) {@link this#nullSafeGet} is not
+ * implemented; 3) {@link this#deepCopy} simply returns the argument. Several methods are implemented with default /
+ * minimal behavior by using the {@link this#deepCopy}.
+ *
+ * @author Longze Chen
+ * @since 19.4.0
+ */
+public class PostgresJsonbUserType implements UserType {
+
+    private final Logger logger = LoggerFactory.getLogger(this.getClass());
+
+    @Override
+    public int[] sqlTypes() {
+        return new int[]{Types.JAVA_OBJECT};
+    }
+
+    @Override
+    public Class returnedClass() {
+        return JsonObject.class;
+    }
+
+    @Override
+    public boolean equals(final Object x, final Object y) throws HibernateException {
+        if (x == null) {
+            return y == null;
+        }
+        return x.equals(y);
+    }
+
+    @Override
+    public int hashCode(final Object x) throws HibernateException {
+        return x.hashCode();
+    }
+
+    @Override
+    public Object nullSafeGet(
+            final ResultSet rs,
+            final String[] names,
+            final SessionImplementor session,
+            final Object owner
+    ) throws HibernateException, SQLException {
+        final String jsonString = rs.getString(names[0]);
+        if (jsonString == null) {
+            return null;
+        }
+        try {
+            final JsonParser jsonParser = new JsonParser();
+            return jsonParser.parse(jsonString).getAsJsonObject();
+        } catch (final JsonSyntaxException | IllegalStateException e) {
+            logger.error("PostgresJsonbUserType.nullSafeGet(): failed to convert Java JSON String to GSON JsonObject:");
+            throw new RuntimeException("Failed to convert Java JSON String to GSON JsonObject: " + e.getMessage());
+        }
+    }
+
+    // There is no need to implement this class since CAS only has read-access to the OSF DB.
+    @Override
+    public void nullSafeSet(
+            final PreparedStatement st,
+            final Object value,
+            final int index,
+            final SessionImplementor session
+    ) throws HibernateException {
+        throw new NotYetImplementedException();
+    }
+
+    // Immutable object: simply return the argument.
+    @Override
+    public Object deepCopy(final Object value) throws HibernateException {
+        return value;
+    }
+
+    // Objects of this type is immutable.
+    @Override
+    public boolean isMutable() {
+        return false;
+    }
+
+    @Override
+    public Serializable disassemble(final Object value) throws HibernateException {
+        return (Serializable) this.deepCopy(value);
+    }
+
+    @Override
+    public Object assemble(final Serializable cached, final Object owner) throws HibernateException {
+        return this.deepCopy(cached);
+    }
+
+    @Override
+    public Object replace(final Object original, final Object target, final Object owner) throws HibernateException {
+        return this.deepCopy(original);
+    }
+}
diff --git a/etc/cas.properties b/etc/cas.properties
index e578b977..207985ff 100644
--- a/etc/cas.properties
+++ b/etc/cas.properties
@@ -99,7 +99,7 @@ osf.database.driverClass=org.postgresql.Driver
 osf.database.url=jdbc:postgresql://192.168.168.167:5432/osf?targetServerType=master
 osf.database.user=postgres
 osf.database.password=
-osf.database.hibernate.dialect=org.hibernate.dialect.PostgreSQL82Dialect
+osf.database.hibernate.dialect=io.cos.cas.adaptors.postgres.hibernate.OSFPostgreSQLDialect
 
 ##
 # OAuth Provider

From acd85b038d63f15282259be2291ba02992fb50c8 Mon Sep 17 00:00:00 2001
From: longze chen <cs.longze.chen@gmail.com>
Date: Mon, 4 Nov 2019 16:13:02 -0500
Subject: [PATCH 2/6] Remove Hibernate customized user type StringArrayUserType

This user type was created / used for the varchar[] emails column in the
OSF user table, which is no longer present after emails became its own
table with the user as a foreign key.
---
 .../postgres/types/StringListUserType.java    | 109 ------------------
 .../spring-configuration/dataSource.xml       |   3 -
 2 files changed, 112 deletions(-)
 delete mode 100644 cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/types/StringListUserType.java

diff --git a/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/types/StringListUserType.java b/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/types/StringListUserType.java
deleted file mode 100644
index 53aa7472..00000000
--- a/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/types/StringListUserType.java
+++ /dev/null
@@ -1,109 +0,0 @@
-/*
- * Copyright (c) 2016. Center for Open Science
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.cos.cas.adaptors.postgres.types;
-
-import org.hibernate.HibernateException;
-import org.hibernate.engine.spi.SessionImplementor;
-import org.hibernate.usertype.UserType;
-
-import java.io.Serializable;
-import java.sql.Array;
-import java.sql.PreparedStatement;
-import java.sql.SQLException;
-import java.sql.ResultSet;
-import java.sql.Types;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
-
-/**
- * The String List User Type.
- *
- * @author Longze Chen
- * @since 4.0.1
- */
-public class StringListUserType implements UserType {
-
-    @Override
-    public int[] sqlTypes() {
-        return new int[] {Types.ARRAY};
-    }
-
-    @Override
-    public Class returnedClass() {
-        return List.class;
-    }
-
-    @Override
-    public boolean equals(final Object o1, final Object o2) throws HibernateException {
-        return o1.equals(o2);
-    }
-
-    @Override
-    public int hashCode(final Object o) throws HibernateException {
-        return o != null ? o.hashCode() : 0;
-    }
-
-    @Override
-    public Object nullSafeGet(
-            final ResultSet resultSet,
-            final String[] names,
-            final SessionImplementor sessionImplementor,
-            final Object owner
-        ) throws HibernateException, SQLException {
-
-        final Array array = resultSet.getArray(names[0]);
-        if (!resultSet.wasNull() && array != null) {
-            return new ArrayList<>(Arrays.asList((String[]) array.getArray()));
-        }
-        return null;
-    }
-
-    @Override
-    public void nullSafeSet(
-            final PreparedStatement preparedStatement,
-            final Object value,
-            final int index,
-            final SessionImplementor sessionImplementor
-        ) throws HibernateException, SQLException {
-        // no need to implement this method since CAS is postgres readonly.
-    }
-
-    @Override
-    public Object deepCopy(final Object value) throws HibernateException {
-        return value;
-    }
-
-    @Override
-    public boolean isMutable() {
-        return false;
-    }
-
-    @Override
-    public Serializable disassemble(final Object value) throws HibernateException {
-        return (Serializable) value;
-    }
-
-    @Override
-    public Object assemble(final Serializable cached, final Object owner) throws HibernateException {
-        return cached;
-    }
-
-    @Override
-    public Object replace(final Object original, final Object target, final Object owner) throws HibernateException {
-        return original;
-    }
-}
diff --git a/cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/dataSource.xml b/cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/dataSource.xml
index 5a03b889..518105bb 100644
--- a/cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/dataSource.xml
+++ b/cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/dataSource.xml
@@ -69,9 +69,6 @@
     <bean id="openScienceFrameworkApiOauth2PersonalAccessToken" class="io.cos.cas.adaptors.postgres.models.OpenScienceFrameworkApiOauth2PersonalAccessToken" />
     <bean id="openScienceFrameworkApiOauthApplication" class="io.cos.cas.adaptors.postgres.models.OpenScienceFrameworkApiOauth2Application" />
 
-    <!-- Custom User Types -->
-    <bean id="openScienceFrameWorkTypesStringList" class="io.cos.cas.adaptors.postgres.types.StringListUserType" />
-
     <!-- OSF DAOS -->
     <bean id="openScienceFrameworkDao" class="io.cos.cas.adaptors.postgres.daos.OpenScienceFrameworkDaoImpl" />
 

From c94e586d59752526589b5a1f5ff68da6168a270b Mon Sep 17 00:00:00 2001
From: longze chen <cs.longze.chen@gmail.com>
Date: Tue, 5 Nov 2019 10:16:14 -0500
Subject: [PATCH 3/6] User status check now handles unconfirmed via ORCiD
 signup

---
 ...ScienceFrameworkAuthenticationHandler.java | 101 +++++++++++++-----
 .../models/OpenScienceFrameworkUser.java      |  21 +++-
 2 files changed, 93 insertions(+), 29 deletions(-)

diff --git a/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/handlers/OpenScienceFrameworkAuthenticationHandler.java b/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/handlers/OpenScienceFrameworkAuthenticationHandler.java
index f2b7469f..8acd7c0a 100644
--- a/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/handlers/OpenScienceFrameworkAuthenticationHandler.java
+++ b/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/handlers/OpenScienceFrameworkAuthenticationHandler.java
@@ -15,35 +15,38 @@
  */
 package io.cos.cas.adaptors.postgres.handlers;
 
-import java.nio.charset.StandardCharsets;
-import java.security.GeneralSecurityException;
-import java.security.MessageDigest;
-import java.util.HashMap;
-import java.util.Map;
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
 
+import io.cos.cas.adaptors.postgres.daos.OpenScienceFrameworkDaoImpl;
 import io.cos.cas.adaptors.postgres.models.OpenScienceFrameworkGuid;
 import io.cos.cas.adaptors.postgres.models.OpenScienceFrameworkTimeBasedOneTimePassword;
 import io.cos.cas.adaptors.postgres.models.OpenScienceFrameworkUser;
-import io.cos.cas.adaptors.postgres.daos.OpenScienceFrameworkDaoImpl;
 import io.cos.cas.authentication.InvalidVerificationKeyException;
 import io.cos.cas.authentication.LoginNotAllowedException;
 import io.cos.cas.authentication.OneTimePasswordFailedLoginException;
 import io.cos.cas.authentication.OneTimePasswordRequiredException;
 import io.cos.cas.authentication.OpenScienceFrameworkCredential;
-
 import io.cos.cas.authentication.ShouldNotHappenException;
 import io.cos.cas.authentication.oath.TotpUtils;
+
 import org.jasig.cas.authentication.AccountDisabledException;
 import org.jasig.cas.authentication.Credential;
-import org.jasig.cas.authentication.HandlerResult;
-import org.jasig.cas.authentication.PreventedException;
 import org.jasig.cas.authentication.handler.NoOpPrincipalNameTransformer;
 import org.jasig.cas.authentication.handler.PrincipalNameTransformer;
 import org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler;
+import org.jasig.cas.authentication.HandlerResult;
+import org.jasig.cas.authentication.PreventedException;
 
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.security.crypto.bcrypt.BCrypt;
 
+import java.nio.charset.StandardCharsets;
+import java.security.GeneralSecurityException;
+import java.security.MessageDigest;
+import java.util.HashMap;
+import java.util.Map;
+
 import javax.security.auth.login.AccountNotFoundException;
 import javax.security.auth.login.FailedLoginException;
 import javax.validation.constraints.NotNull;
@@ -54,7 +57,7 @@
  *
  * @author Michael Haselton
  * @author Longze Chen
- * @since 4.1.0
+ * @since 19.0.0
  */
 public class OpenScienceFrameworkAuthenticationHandler extends AbstractPreAndPostProcessingAuthenticationHandler
         implements InitializingBean {
@@ -65,7 +68,8 @@ public class OpenScienceFrameworkAuthenticationHandler extends AbstractPreAndPos
 
     // user status
     private static final String USER_ACTIVE = "ACTIVE";
-    private static final String USER_NOT_CONFIRMED = "NOT_CONFIRMED";
+    private static final String USER_NOT_CONFIRMED_OSF = "NOT_CONFIRMED_OSF";
+    private static final String USER_NOT_CONFIRMED_IDP = "NOT_CONFIRMED_IDP";
     private static final String USER_NOT_CLAIMED = "NOT_CLAIMED";
     private static final String USER_MERGED = "MERGED";
     private static final String USER_DISABLED = "DISABLED";
@@ -183,7 +187,7 @@ protected final HandlerResult authenticateInternal(final OpenScienceFrameworkCre
         }
 
         // Check user's status, and only ACTIVE user can sign in
-        if (USER_NOT_CONFIRMED.equals(userStatus)) {
+        if (USER_NOT_CONFIRMED_OSF.equals(userStatus) || USER_NOT_CONFIRMED_IDP.equals(userStatus)) {
             throw new LoginNotAllowedException(username + " is registered but not confirmed");
         } else if (USER_DISABLED.equals(userStatus)) {
             throw new AccountDisabledException(username + " is disabled");
@@ -215,24 +219,28 @@ public boolean supports(final Credential credential) {
     }
 
     /**
-     * Verify user status.
+     * Check and verify user status.
+     *
+     * USER_ACTIVE:             The user is active.
+     *
+     * USER_NOT_CONFIRMED_OSF:  The user is created via default username / password sign-up but not confirmed.
      *
-     * USER_ACTIVE:             Active user found, proceed.
+     * USER_NOT_CONFIRMED_IDP:  The user is created via via external IdP (e.g. ORCiD) login but not confirmed.
      *
-     * USER_NOT_CONFIRMED:      Inform users that the account is created but not confirmed. In addition, provide them
-     *                          with a link to resend confirmation email.
+     * USER_NOT_CLAIMED:        The user is created as an unclaimed contributor but not claimed.
      *
-     * USER_DISABLED:           Inform users that the account is disable and that they should contact OSF support.
+     * USER_DISABLED:           The user has been deactivated.
      *
-     * USER_MERGED,
-     * USER_NOT_CLAIMED,
-     * USER_STATUS_UNKNOWN:     These three are internal or invalid user status that are not supposed to happen with
-     *                          normal authentication and authorization flow.
+     * USER_MERGED:             The user has been merged into another user.
      *
-     * @param user the OSF user
-     * @return the user status
+     * USER_STATUS_UNKNOWN:     Unknown or invalid status. This usually indicates that there is something wrong with
+     *                          the OSF-CAS auth logic and / or the OSF user model.
+     *
+     * @param user an {@link OpenScienceFrameworkUser} instance
+     * @return a {@link String} that represents the user status
      */
     private String verifyUserStatus(final OpenScienceFrameworkUser user) {
+
         // An active user must be registered, not disabled, not merged and has a not null password.
         // Only active users can pass the verification.
         if (user.isActive()) {
@@ -240,17 +248,29 @@ private String verifyUserStatus(final OpenScienceFrameworkUser user) {
             return USER_ACTIVE;
         } else {
             // If the user instance is neither registered nor not confirmed, it can be either an unclaimed contributor
-            // or a newly created user pending confirmation. The difference is whether it has a usable password.
+            // or a newly created user pending confirmation.
             if (!user.isRegistered() && !user.isConfirmed()) {
                 if (isUnusablePassword(user.getPassword())) {
-                    // If the user instance has an unusable password, it must be an unclaimed contributor.
+                    // If the user instance has an unusable password but also has a pending external identity "CREATE"
+                    // confirmation, it must be an unconfirmed user created via external IdP login.
+                    try {
+                        if (isCreatedByExternalIdp(user.getExternalIdentity())) {
+                            logger.info("User Status Check: {}", USER_NOT_CONFIRMED_IDP);
+                            return USER_NOT_CONFIRMED_IDP;
+                        }
+                    } catch (final ShouldNotHappenException e) {
+                        logger.error("User Status Check: {}", USER_STATUS_UNKNOWN);
+                        return USER_STATUS_UNKNOWN;
+                    }
+                    // If the user instance has an unusable password without any pending external identity "CREATE"
+                    // confirmation, it must be an unclaimed contributor.
                     logger.info("User Status Check: {}", USER_NOT_CLAIMED);
                     return USER_NOT_CLAIMED;
                 } else if (checkPasswordPrefix(user.getPassword())) {
                     // If the user instance has a password with a valid prefix, it must be a unconfirmed user who
                     // has registered for a new account.
-                    logger.info("User Status Check: {}", USER_NOT_CONFIRMED);
-                    return USER_NOT_CONFIRMED;
+                    logger.info("User Status Check: {}", USER_NOT_CONFIRMED_OSF);
+                    return USER_NOT_CONFIRMED_OSF;
                 }
             }
             // If the user instance has been merged by another user, it stays registered and confirmed. The username is
@@ -307,6 +327,33 @@ private boolean verifyPassword(final String plainTextPassword, final String user
         }
     }
 
+    /**
+     * Check if the user instance is created by an external identity provider and is pending confirmation.
+     *
+     * @param externalIdentity a {@link JsonObject} that stores all external identities of a user instance
+     * @return {@code true} if so and {@code false} otherwise
+     * @throws ShouldNotHappenException if {@code externalIdentity} fails JSON parsing.
+     */
+    private boolean isCreatedByExternalIdp(final JsonObject externalIdentity) throws ShouldNotHappenException {
+
+        for (final Map.Entry<String, JsonElement> provider : externalIdentity.entrySet()) {
+            try {
+                for (final Map.Entry<String, JsonElement> identity : provider.getValue().getAsJsonObject().entrySet()) {
+                    if (!identity.getValue().isJsonPrimitive()) {
+                        throw new ShouldNotHappenException();
+                    }
+                    if ("CREATE".equals(identity.getValue().getAsString())) {
+                        logger.info("New and unconfirmed OSF user: {} : {}", identity.getKey(), identity.getValue().toString());
+                        return true;
+                    }
+                }
+            } catch (final IllegalStateException e) {
+                throw new ShouldNotHappenException();
+            }
+        }
+        return false;
+    }
+
     /**
      * Check if the password hash is "django-unusable".
      *
diff --git a/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/models/OpenScienceFrameworkUser.java b/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/models/OpenScienceFrameworkUser.java
index faceb683..69e6ea5d 100644
--- a/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/models/OpenScienceFrameworkUser.java
+++ b/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/models/OpenScienceFrameworkUser.java
@@ -15,6 +15,15 @@
  */
 package io.cos.cas.adaptors.postgres.models;
 
+import com.google.gson.JsonObject;
+
+import io.cos.cas.adaptors.postgres.types.PostgresJsonbUserType;
+
+import org.hibernate.annotations.Type;
+import org.hibernate.annotations.TypeDef;
+
+import java.util.Date;
+
 import javax.persistence.Column;
 import javax.persistence.Entity;
 import javax.persistence.Id;
@@ -23,17 +32,17 @@
 import javax.persistence.Table;
 import javax.persistence.Temporal;
 import javax.persistence.TemporalType;
-import java.util.Date;
 
 /**
  * The Open Science Framework User.
  *
  * @author Michael Haselton
  * @author Longze Chen
- * @since 4.1.0
+ * @since 19.0.0
  */
 @Entity
 @Table(name = "osf_osfuser")
+@TypeDef(name = "PostgresJsonb", typeClass = PostgresJsonbUserType.class)
 public final class OpenScienceFrameworkUser {
 
     @Id
@@ -46,6 +55,10 @@ public final class OpenScienceFrameworkUser {
     @Column(name = "password", nullable = false)
     private String password;
 
+    @Column(name = "external_identity")
+    @Type(type = "PostgresJsonb")
+    private JsonObject externalIdentity;
+
     @Column(name = "verification_key")
     private String verificationKey;
 
@@ -85,6 +98,10 @@ public String getPassword() {
         return password;
     }
 
+    public JsonObject getExternalIdentity() {
+        return externalIdentity;
+    }
+
     public String getVerificationKey() {
         return verificationKey;
     }

From ba40059d7e9391a5fa86df9aa0ff433c55039400 Mon Sep 17 00:00:00 2001
From: longze chen <cs.longze.chen@gmail.com>
Date: Fri, 31 Jan 2020 14:43:23 -0500
Subject: [PATCH 4/6] Fix license and "since" tag for two new classes

---
 .../hibernate/OSFPostgreSQLDialect.java       | 24 ++++++++---------
 .../postgres/types/PostgresJsonbUserType.java | 26 +++++++++----------
 2 files changed, 23 insertions(+), 27 deletions(-)

diff --git a/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/hibernate/OSFPostgreSQLDialect.java b/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/hibernate/OSFPostgreSQLDialect.java
index aea870cc..79baa113 100644
--- a/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/hibernate/OSFPostgreSQLDialect.java
+++ b/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/hibernate/OSFPostgreSQLDialect.java
@@ -1,19 +1,17 @@
 /*
- * Licensed to the Center For Open Science (COS) under one or more
- * contributor license agreements. See the NOTICE file distributed
- * with this work for additional information regarding copyright
- * ownership. COS licenses this file to you under the Apache
- * License, Version 2.0 (the "License"); you may not use this file
- * except in compliance with the License.  You may obtain a copy of
- * the License at the following location:
+ * Copyright (c) 2020. Center for Open Science
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an "AS
- * IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied.  See the License for the specific language
- * governing permissions and limitations under the License.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  */
 package io.cos.cas.adaptors.postgres.hibernate;
 
@@ -25,7 +23,7 @@
  * Customized Postgres dialect that supports {@literal jsonb}.
  *
  * @author Longze Chen
- * @since 19.4.0
+ * @since 20.0.0
  */
 public class OSFPostgreSQLDialect extends PostgreSQL9Dialect {
 
diff --git a/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/types/PostgresJsonbUserType.java b/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/types/PostgresJsonbUserType.java
index 0143b5c5..925382e2 100644
--- a/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/types/PostgresJsonbUserType.java
+++ b/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/types/PostgresJsonbUserType.java
@@ -1,19 +1,17 @@
 /*
- * Licensed to the Center For Open Science (COS) under one or more
- * contributor license agreements. See the NOTICE file distributed
- * with this work for additional information regarding copyright
- * ownership. COS licenses this file to you under the Apache
- * License, Version 2.0 (the "License"); you may not use this file
- * except in compliance with the License.  You may obtain a copy of
- * the License at the following location:
+ * Copyright (c) 2020. Center for Open Science
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an "AS
- * IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied.  See the License for the specific language
- * governing permissions and limitations under the License.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  */
 
 package io.cos.cas.adaptors.postgres.types;
@@ -41,12 +39,12 @@
  *
  * {@link com.google.gson.JsonObject} is used as the object type / class for Postgres {@literal jsonb}.
  *
- * CAS only has read-access to the OSF DB. Thus, 1) the type is immutable; 2) {@link this#nullSafeGet} is not
+ * CAS only has read-access to the OSF database. Thus, 1) the type is immutable; 2) {@link this#nullSafeGet} is not
  * implemented; 3) {@link this#deepCopy} simply returns the argument. Several methods are implemented with default /
  * minimal behavior by using the {@link this#deepCopy}.
  *
  * @author Longze Chen
- * @since 19.4.0
+ * @since 20.0.0
  */
 public class PostgresJsonbUserType implements UserType {
 

From c14dc5fe8dc78ca9de8c968c44612f7ca4cc62b6 Mon Sep 17 00:00:00 2001
From: longze chen <cs.longze.chen@gmail.com>
Date: Fri, 31 Jan 2020 15:45:03 -0500
Subject: [PATCH 5/6] Use a new exception for IdP unconfirmed account

---
 ...ScienceFrameworkAuthenticationHandler.java |  7 ++-
 .../AccountNotConfirmedIdPLoginException.java | 45 +++++++++++++++++++
 ...ameworkAuthenticationExceptionHandler.java |  2 +
 .../src/main/resources/messages.properties    |  2 +
 .../ui/casAccountNotConfirmedIdPLoginView.jsp | 41 +++++++++++++++++
 .../WEB-INF/webflow/login/login-webflow.xml   |  2 +
 6 files changed, 97 insertions(+), 2 deletions(-)
 create mode 100644 cas-server-support-osf/src/main/java/io/cos/cas/authentication/exceptions/AccountNotConfirmedIdPLoginException.java
 create mode 100644 cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/default/ui/casAccountNotConfirmedIdPLoginView.jsp

diff --git a/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/handlers/OpenScienceFrameworkAuthenticationHandler.java b/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/handlers/OpenScienceFrameworkAuthenticationHandler.java
index 8acd7c0a..90b5c8f1 100644
--- a/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/handlers/OpenScienceFrameworkAuthenticationHandler.java
+++ b/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/handlers/OpenScienceFrameworkAuthenticationHandler.java
@@ -28,6 +28,7 @@
 import io.cos.cas.authentication.OneTimePasswordRequiredException;
 import io.cos.cas.authentication.OpenScienceFrameworkCredential;
 import io.cos.cas.authentication.ShouldNotHappenException;
+import io.cos.cas.authentication.exceptions.AccountNotConfirmedIdPLoginException;
 import io.cos.cas.authentication.oath.TotpUtils;
 
 import org.jasig.cas.authentication.AccountDisabledException;
@@ -187,9 +188,11 @@ protected final HandlerResult authenticateInternal(final OpenScienceFrameworkCre
         }
 
         // Check user's status, and only ACTIVE user can sign in
-        if (USER_NOT_CONFIRMED_OSF.equals(userStatus) || USER_NOT_CONFIRMED_IDP.equals(userStatus)) {
+        if (USER_NOT_CONFIRMED_OSF.equals(userStatus)) {
             throw new LoginNotAllowedException(username + " is registered but not confirmed");
-        } else if (USER_DISABLED.equals(userStatus)) {
+        } else if (USER_NOT_CONFIRMED_IDP.equals(userStatus)) {
+            throw new AccountNotConfirmedIdPLoginException(username + " is registered via external IdP but not confirmed ");
+        }  else if (USER_DISABLED.equals(userStatus)) {
             throw new AccountDisabledException(username + " is disabled");
         } else if (USER_NOT_CLAIMED.equals(userStatus)) {
             throw new ShouldNotHappenException(username + " is not claimed");
diff --git a/cas-server-support-osf/src/main/java/io/cos/cas/authentication/exceptions/AccountNotConfirmedIdPLoginException.java b/cas-server-support-osf/src/main/java/io/cos/cas/authentication/exceptions/AccountNotConfirmedIdPLoginException.java
new file mode 100644
index 00000000..94c9ec02
--- /dev/null
+++ b/cas-server-support-osf/src/main/java/io/cos/cas/authentication/exceptions/AccountNotConfirmedIdPLoginException.java
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2020. Center for Open Science
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.cos.cas.authentication.exceptions;
+
+import javax.security.auth.login.AccountException;
+
+/**
+ * Describes an error condition where authentication occurs from an unconfirmed account created by external identity
+ * provider (IdP) login. This exception only applies to IdPs that require user email confirmation. Currently, there
+ * is only one: ORCiD. Institution IdPs do not require user email confirmation.
+ *
+ * @author Longze Chen
+ * @since 20.0.0
+ */
+public class AccountNotConfirmedIdPLoginException extends AccountException {
+
+    private static final long serialVersionUID = 2165106893184566462L;
+
+    /** Instantiates a new exception (default). */
+    public AccountNotConfirmedIdPLoginException() {
+        super();
+    }
+
+    /**
+     * Instantiates a new exception with a given message.
+     *
+     * @param message the message
+     */
+    public AccountNotConfirmedIdPLoginException(final String message) {
+        super(message);
+    }
+}
diff --git a/cas-server-support-osf/src/main/java/io/cos/cas/web/flow/OpenScienceFrameworkAuthenticationExceptionHandler.java b/cas-server-support-osf/src/main/java/io/cos/cas/web/flow/OpenScienceFrameworkAuthenticationExceptionHandler.java
index 6111cd62..e89494b1 100644
--- a/cas-server-support-osf/src/main/java/io/cos/cas/web/flow/OpenScienceFrameworkAuthenticationExceptionHandler.java
+++ b/cas-server-support-osf/src/main/java/io/cos/cas/web/flow/OpenScienceFrameworkAuthenticationExceptionHandler.java
@@ -20,6 +20,7 @@
 import java.util.List;
 import java.util.Set;
 
+import io.cos.cas.authentication.exceptions.AccountNotConfirmedIdPLoginException;
 import io.cos.cas.authentication.exceptions.CasClientLoginException;
 import io.cos.cas.authentication.exceptions.DelegatedLoginException;
 import io.cos.cas.authentication.exceptions.OrcidClientLoginException;
@@ -81,6 +82,7 @@ public class OpenScienceFrameworkAuthenticationExceptionHandler extends Authenti
     static {
         DEFAULT_ERROR_LIST.add(InvalidVerificationKeyException.class);
         DEFAULT_ERROR_LIST.add(LoginNotAllowedException.class);
+        DEFAULT_ERROR_LIST.add(AccountNotConfirmedIdPLoginException.class);
         DEFAULT_ERROR_LIST.add(ShouldNotHappenException.class);
         DEFAULT_ERROR_LIST.add(RemoteUserFailedLoginException.class);
         DEFAULT_ERROR_LIST.add(OneTimePasswordFailedLoginException.class);
diff --git a/cas-server-webapp/src/main/resources/messages.properties b/cas-server-webapp/src/main/resources/messages.properties
index 0fdc43e8..5496732f 100644
--- a/cas-server-webapp/src/main/resources/messages.properties
+++ b/cas-server-webapp/src/main/resources/messages.properties
@@ -146,6 +146,8 @@ screen.badworkstation.message=Please contact <a style="white-space: nowrap" href
 # OSF Login Failure Pages
 screen.loginnotallowed.heading=Account not confirmed
 screen.loginnotallowed.message=The OSF account associated with the email has been registered but not confirmed.  Please check your email (and spam folder) or click the button below to resend your confirmation email.
+screen.accountnotconfirmed.idplogin.heading=Account not confirmed
+screen.accountnotconfirmed.idplogin.message=The OSF account associated with the email has been registered but not confirmed. Our records show that this account was created via ORCiD login. Please check your email (and spam folder) for the confirmation link. If you believe this should not happen, please contact <a style="white-space: nowrap" href="mailto:support@osf.io">OSF Support</a>.
 screen.loginnotallowed.button.resendConfirmation=Resend confirmation email
 screen.accountdisabled.heading=Account disabled
 screen.accountdisabled.message=The OSF account associated with the email has been disabled.  Please contact <a style="white-space: nowrap" href="mailto:support@osf.io">OSF Support</a> to regain access.
diff --git a/cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/default/ui/casAccountNotConfirmedIdPLoginView.jsp b/cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/default/ui/casAccountNotConfirmedIdPLoginView.jsp
new file mode 100644
index 00000000..37d9237d
--- /dev/null
+++ b/cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/default/ui/casAccountNotConfirmedIdPLoginView.jsp
@@ -0,0 +1,41 @@
+<%--
+
+    Copyright (c) 2020. Center for Open Science
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+--%>
+
+<%-- Login exception page: account created via external IdP login but not confirmed --%>
+
+<jsp:directive.include file="includes/top.jsp"/>
+
+<div id="msg" class="errors">
+    <h2><spring:message code="screen.accountnotconfirmed.idplogin.heading"/></h2>
+    <p><spring:message code="screen.accountnotconfirmed.idplogin.message"/></p>
+</div>
+
+<spring:message code="screen.osf.login.message.error" var="errorDescription"/>
+<script>
+    description = document.getElementById("description");
+    if (description != null) {
+        description.innerHTML = "<br><br>${errorDescription}";
+    }
+</script>
+
+<c:set var="linkSignIn" value="true"/>
+<c:set var="linkSignOut" value="false"/>
+<c:set var="linkCreateAccount" value="true"/>
+<c:set var="linkBackToOsf" value="true"/>
+
+<jsp:directive.include file="includes/bottom.jsp"/>
diff --git a/cas-server-webapp/src/main/webapp/WEB-INF/webflow/login/login-webflow.xml b/cas-server-webapp/src/main/webapp/WEB-INF/webflow/login/login-webflow.xml
index 669a64cb..6eda205c 100644
--- a/cas-server-webapp/src/main/webapp/WEB-INF/webflow/login/login-webflow.xml
+++ b/cas-server-webapp/src/main/webapp/WEB-INF/webflow/login/login-webflow.xml
@@ -205,6 +205,7 @@
         <!-- Customized exceptions for OSF -->
         <transition on="InvalidVerificationKeyException" to="casInvalidVerificationKeyView" />
         <transition on="LoginNotAllowedException" to="casLoginNotAllowedView" />
+        <transition on="AccountNotConfirmedIdPLoginException" to="casAccountNotConfirmedIdPLoginView" />
         <transition on="ShouldNotHappenException" to="casShouldNotHappenView" />
         <transition on="RemoteUserFailedLoginException" to="casRemoteUserFailedLoginView" />
         <transition on="OneTimePasswordRequiredException" to="casOtpLoginView"/>
@@ -283,6 +284,7 @@
     <end-state id="casBadHoursView" view="casBadHoursView"/>
     <end-state id="casBadWorkstationView" view="casBadWorkstationView"/>
     <end-state id="casLoginNotAllowedView" view="casLoginNotAllowedView" />
+    <end-state id="casAccountNotConfirmedIdPLoginView" view="casAccountNotConfirmedIdPLoginView" />
     <end-state id="casShouldNotHappenView" view="casShouldNotHappenView" />
     <end-state id="casRemoteUserFailedLoginView" view="casRemoteUserFailedLoginView" />
     <end-state id="casInvalidVerificationKeyView" view="casInvalidVerificationKeyView" />

From 5c2b1e7d4724aad9ff361ec783a7cb96e7a1e2be Mon Sep 17 00:00:00 2001
From: longze chen <cs.longze.chen@gmail.com>
Date: Fri, 31 Jan 2020 16:12:03 -0500
Subject: [PATCH 6/6] Refactor osf unconfirmed account exception

---
 ...penScienceFrameworkAuthenticationHandler.java |  6 +++---
 .../AccountNotConfirmedOsfLoginException.java}   | 16 ++++++++--------
 ...eFrameworkAuthenticationExceptionHandler.java |  6 +++---
 .../src/main/resources/messages.properties       |  6 +++---
 ...sp => casAccountNotConfirmedOsfLoginView.jsp} | 10 +++++-----
 .../WEB-INF/webflow/login/login-webflow.xml      |  4 ++--
 6 files changed, 24 insertions(+), 24 deletions(-)
 rename cas-server-support-osf/src/main/java/io/cos/cas/authentication/{LoginNotAllowedException.java => exceptions/AccountNotConfirmedOsfLoginException.java} (72%)
 rename cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/default/ui/{casLoginNotAllowedView.jsp => casAccountNotConfirmedOsfLoginView.jsp} (80%)

diff --git a/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/handlers/OpenScienceFrameworkAuthenticationHandler.java b/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/handlers/OpenScienceFrameworkAuthenticationHandler.java
index 90b5c8f1..eea892e1 100644
--- a/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/handlers/OpenScienceFrameworkAuthenticationHandler.java
+++ b/cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/handlers/OpenScienceFrameworkAuthenticationHandler.java
@@ -22,13 +22,13 @@
 import io.cos.cas.adaptors.postgres.models.OpenScienceFrameworkGuid;
 import io.cos.cas.adaptors.postgres.models.OpenScienceFrameworkTimeBasedOneTimePassword;
 import io.cos.cas.adaptors.postgres.models.OpenScienceFrameworkUser;
+import io.cos.cas.authentication.exceptions.AccountNotConfirmedIdPLoginException;
+import io.cos.cas.authentication.exceptions.AccountNotConfirmedOsfLoginException;
 import io.cos.cas.authentication.InvalidVerificationKeyException;
-import io.cos.cas.authentication.LoginNotAllowedException;
 import io.cos.cas.authentication.OneTimePasswordFailedLoginException;
 import io.cos.cas.authentication.OneTimePasswordRequiredException;
 import io.cos.cas.authentication.OpenScienceFrameworkCredential;
 import io.cos.cas.authentication.ShouldNotHappenException;
-import io.cos.cas.authentication.exceptions.AccountNotConfirmedIdPLoginException;
 import io.cos.cas.authentication.oath.TotpUtils;
 
 import org.jasig.cas.authentication.AccountDisabledException;
@@ -189,7 +189,7 @@ protected final HandlerResult authenticateInternal(final OpenScienceFrameworkCre
 
         // Check user's status, and only ACTIVE user can sign in
         if (USER_NOT_CONFIRMED_OSF.equals(userStatus)) {
-            throw new LoginNotAllowedException(username + " is registered but not confirmed");
+            throw new AccountNotConfirmedOsfLoginException(username + " is registered but not confirmed");
         } else if (USER_NOT_CONFIRMED_IDP.equals(userStatus)) {
             throw new AccountNotConfirmedIdPLoginException(username + " is registered via external IdP but not confirmed ");
         }  else if (USER_DISABLED.equals(userStatus)) {
diff --git a/cas-server-support-osf/src/main/java/io/cos/cas/authentication/LoginNotAllowedException.java b/cas-server-support-osf/src/main/java/io/cos/cas/authentication/exceptions/AccountNotConfirmedOsfLoginException.java
similarity index 72%
rename from cas-server-support-osf/src/main/java/io/cos/cas/authentication/LoginNotAllowedException.java
rename to cas-server-support-osf/src/main/java/io/cos/cas/authentication/exceptions/AccountNotConfirmedOsfLoginException.java
index 2add2e69..7f5d434a 100644
--- a/cas-server-support-osf/src/main/java/io/cos/cas/authentication/LoginNotAllowedException.java
+++ b/cas-server-support-osf/src/main/java/io/cos/cas/authentication/exceptions/AccountNotConfirmedOsfLoginException.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015. Center for Open Science
+ * Copyright (c) 2020. Center for Open Science
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -13,23 +13,23 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package io.cos.cas.authentication;
+package io.cos.cas.authentication.exceptions;
 
 import javax.security.auth.login.AccountException;
 
 /**
- * Describes an error condition where authentication occurs from an registered but not confirmed account.
+ * Describes an error condition where authentication occurs from a registered (via OSF email-password sign-up) but
+ * not confirmed account.
  *
- * @author Michael Haselton
  * @author Longze Chen
- * @since 4.1.5
+ * @since 20.0.0
  */
-public class LoginNotAllowedException extends AccountException {
+public class AccountNotConfirmedOsfLoginException extends AccountException {
 
     private static final long serialVersionUID = 3376259469680697722L;
 
     /** Instantiates a new exception (default). */
-    public LoginNotAllowedException() {
+    public AccountNotConfirmedOsfLoginException() {
         super();
     }
 
@@ -38,7 +38,7 @@ public LoginNotAllowedException() {
      *
      * @param message the message
      */
-    public LoginNotAllowedException(final String message) {
+    public AccountNotConfirmedOsfLoginException(final String message) {
         super(message);
     }
 }
diff --git a/cas-server-support-osf/src/main/java/io/cos/cas/web/flow/OpenScienceFrameworkAuthenticationExceptionHandler.java b/cas-server-support-osf/src/main/java/io/cos/cas/web/flow/OpenScienceFrameworkAuthenticationExceptionHandler.java
index e89494b1..9a3eb29a 100644
--- a/cas-server-support-osf/src/main/java/io/cos/cas/web/flow/OpenScienceFrameworkAuthenticationExceptionHandler.java
+++ b/cas-server-support-osf/src/main/java/io/cos/cas/web/flow/OpenScienceFrameworkAuthenticationExceptionHandler.java
@@ -21,11 +21,11 @@
 import java.util.Set;
 
 import io.cos.cas.authentication.exceptions.AccountNotConfirmedIdPLoginException;
+import io.cos.cas.authentication.exceptions.AccountNotConfirmedOsfLoginException;
 import io.cos.cas.authentication.exceptions.CasClientLoginException;
 import io.cos.cas.authentication.exceptions.DelegatedLoginException;
 import io.cos.cas.authentication.exceptions.OrcidClientLoginException;
 import io.cos.cas.authentication.InvalidVerificationKeyException;
-import io.cos.cas.authentication.LoginNotAllowedException;
 import io.cos.cas.authentication.OneTimePasswordFailedLoginException;
 import io.cos.cas.authentication.OneTimePasswordRequiredException;
 import io.cos.cas.authentication.RemoteUserFailedLoginException;
@@ -52,7 +52,7 @@
  *
  * @author Michael Haselton
  * @author Longze Chen
- * @since 4.1.5
+ * @since 19.0.0
  */
 public class OpenScienceFrameworkAuthenticationExceptionHandler extends AuthenticationExceptionHandler {
 
@@ -81,7 +81,7 @@ public class OpenScienceFrameworkAuthenticationExceptionHandler extends Authenti
     // Customized exceptions for OSF
     static {
         DEFAULT_ERROR_LIST.add(InvalidVerificationKeyException.class);
-        DEFAULT_ERROR_LIST.add(LoginNotAllowedException.class);
+        DEFAULT_ERROR_LIST.add(AccountNotConfirmedOsfLoginException.class);
         DEFAULT_ERROR_LIST.add(AccountNotConfirmedIdPLoginException.class);
         DEFAULT_ERROR_LIST.add(ShouldNotHappenException.class);
         DEFAULT_ERROR_LIST.add(RemoteUserFailedLoginException.class);
diff --git a/cas-server-webapp/src/main/resources/messages.properties b/cas-server-webapp/src/main/resources/messages.properties
index 5496732f..3d9c7b03 100644
--- a/cas-server-webapp/src/main/resources/messages.properties
+++ b/cas-server-webapp/src/main/resources/messages.properties
@@ -144,11 +144,11 @@ screen.badworkstation.heading=You cannot login from this workstation.
 screen.badworkstation.message=Please contact <a style="white-space: nowrap" href="mailto:support@osf.io">support@osf.io</a> to regain access.
 
 # OSF Login Failure Pages
-screen.loginnotallowed.heading=Account not confirmed
-screen.loginnotallowed.message=The OSF account associated with the email has been registered but not confirmed.  Please check your email (and spam folder) or click the button below to resend your confirmation email.
+screen.accountnotconfirmed.osflogin.heading=Account not confirmed
+screen.accountnotconfirmed.osflogin.message=The OSF account associated with the email has been registered but not confirmed.  Please check your email (and spam folder) or click the button below to resend your confirmation email.
+screen.accountnotconfirmed.osflogin.button.resendConfirmation=Resend confirmation email
 screen.accountnotconfirmed.idplogin.heading=Account not confirmed
 screen.accountnotconfirmed.idplogin.message=The OSF account associated with the email has been registered but not confirmed. Our records show that this account was created via ORCiD login. Please check your email (and spam folder) for the confirmation link. If you believe this should not happen, please contact <a style="white-space: nowrap" href="mailto:support@osf.io">OSF Support</a>.
-screen.loginnotallowed.button.resendConfirmation=Resend confirmation email
 screen.accountdisabled.heading=Account disabled
 screen.accountdisabled.message=The OSF account associated with the email has been disabled.  Please contact <a style="white-space: nowrap" href="mailto:support@osf.io">OSF Support</a> to regain access.
 screen.shouldnothappen.heading=Account not active
diff --git a/cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/default/ui/casLoginNotAllowedView.jsp b/cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/default/ui/casAccountNotConfirmedOsfLoginView.jsp
similarity index 80%
rename from cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/default/ui/casLoginNotAllowedView.jsp
rename to cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/default/ui/casAccountNotConfirmedOsfLoginView.jsp
index d5fa4844..2410a66e 100644
--- a/cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/default/ui/casLoginNotAllowedView.jsp
+++ b/cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/default/ui/casAccountNotConfirmedOsfLoginView.jsp
@@ -1,6 +1,6 @@
 <%--
 
-    Copyright (c) 2015. Center for Open Science
+    Copyright (c) 2020. Center for Open Science
 
     Licensed under the Apache License, Version 2.0 (the "License");
     you may not use this file except in compliance with the License.
@@ -16,19 +16,19 @@
 
 --%>
 
-<%-- Login exception page: account not confirmed --%>
+<%-- Login exception page: account created via OSF email-password sign-up but not confirmed --%>
 
 <jsp:directive.include file="includes/top.jsp"/>
 
 <div id="msg" class="errors">
-    <h2><spring:message code="screen.loginnotallowed.heading"/></h2>
-    <p><spring:message code="screen.loginnotallowed.message"/></p>
+    <h2><spring:message code="screen.accountnotconfirmed.osflogin.heading"/></h2>
+    <p><spring:message code="screen.accountnotconfirmed.osflogin.message"/></p>
     <hr/><br/>
     <section class="row">
         <spring:eval var="osfResendConfirmationUrl" expression="@casProperties.getProperty('osf.resendConfirmation.url')"/>
         <a id="alt-login-inst" class="btn-alt-login" href="${osfResendConfirmationUrl}">
             <img class="osf-alt-logo" src="../images/osf-logo.png">
-            <span class="label-login"><spring:message code="screen.loginnotallowed.button.resendConfirmation"/></span>
+            <span class="label-login"><spring:message code="screen.accountnotconfirmed.osflogin.button.resendConfirmation"/></span>
         </a>
     </section>
 </div>
diff --git a/cas-server-webapp/src/main/webapp/WEB-INF/webflow/login/login-webflow.xml b/cas-server-webapp/src/main/webapp/WEB-INF/webflow/login/login-webflow.xml
index 6eda205c..9c819409 100644
--- a/cas-server-webapp/src/main/webapp/WEB-INF/webflow/login/login-webflow.xml
+++ b/cas-server-webapp/src/main/webapp/WEB-INF/webflow/login/login-webflow.xml
@@ -204,7 +204,7 @@
         <transition on="AccountDisabledException" to="casAccountDisabledView"/>
         <!-- Customized exceptions for OSF -->
         <transition on="InvalidVerificationKeyException" to="casInvalidVerificationKeyView" />
-        <transition on="LoginNotAllowedException" to="casLoginNotAllowedView" />
+        <transition on="AccountNotConfirmedOsfLoginException" to="casAccountNotConfirmedOsfLoginView" />
         <transition on="AccountNotConfirmedIdPLoginException" to="casAccountNotConfirmedIdPLoginView" />
         <transition on="ShouldNotHappenException" to="casShouldNotHappenView" />
         <transition on="RemoteUserFailedLoginException" to="casRemoteUserFailedLoginView" />
@@ -283,7 +283,7 @@
     <end-state id="casAccountLockedView" view="casAccountLockedView"/>
     <end-state id="casBadHoursView" view="casBadHoursView"/>
     <end-state id="casBadWorkstationView" view="casBadWorkstationView"/>
-    <end-state id="casLoginNotAllowedView" view="casLoginNotAllowedView" />
+    <end-state id="casAccountNotConfirmedOsfLoginView" view="casAccountNotConfirmedOsfLoginView" />
     <end-state id="casAccountNotConfirmedIdPLoginView" view="casAccountNotConfirmedIdPLoginView" />
     <end-state id="casShouldNotHappenView" view="casShouldNotHappenView" />
     <end-state id="casRemoteUserFailedLoginView" view="casRemoteUserFailedLoginView" />