My thinking is if I have developers who build API's and want to integrate CAS (not for sso but for centralized authentication) then a user who wants to use the developers API would authenticate with CAS via the CAS Rest API, possibly request an ST then use that ST to access the developers API on every call to the developers API. I say every call (multiple times) because you would need a way to verify that the user session is still valid right? Otherwise you would have to authenticate the user on every call to the developers API vs just verifying a ticket. Maybe i'm thinking about this the wrong way?
On Monday, June 20, 2016 at 9:23:38 AM UTC-4, Misagh Moayyed wrote: > > Why multiple times? What's the story there? > --Misagh > On Sun, Jun 19, 2016 at 2:29 PM, John Stevens II <[email protected] > <javascript:>> wrote: > > Well not necessarily a third application, all I really want to accomplish > here is to be able to authenticate a user via CAS rest api (which I can), > be a able validate that user via CAS rest api multiple times (which I > can't) and be able to log the user out via CAS rest api (which I can). > > Is proxying necessary for this functionality? > > On Friday, June 17, 2016 at 4:41:47 PM UTC-4, Ray Bon wrote: >> >> A ST is (should be) validated only once and for only one service. Each >> service will go through the CAS dance passing in the TGT and service URL to >> receive its own ST. >> If a third application needs to authenticate to your API, look at >> proxying, >> https://apereo.github.io/cas/4.2.x/installation/Configuring-Proxy-Authentication.html >> >> Ray >> >> On 2016-06-17 13:12, John Stevens II wrote: >> >> Thank you, I've increased the service ticket timeout value and was able >> to validate a ticket via /serviceValidate but I can only validate the >> ticket once. >> >> If I am using the CAS Rest API to authenticate API's that we develop I >> would want to verify that the service ticket is valid on every call to our >> API's. How do I achieve this or is there another recommended way to achieve >> this? >> >> I see the option *st.numOfUses *for service tickets but not sure if >> unlimited is a valid option or if it's even recommended. >> >> On Friday, June 17, 2016 at 3:42:22 PM UTC-4, Misagh Moayyed wrote: >>> >>> /serviceValidate. >>> >>> *From:* [email protected] [mailto:[email protected]] *On Behalf Of *John >>> Stevens II >>> *Sent:* Friday, June 17, 2016 12:10 PM >>> *To:* CAS Community <[email protected]> >>> *Cc:* [email protected]; [email protected] >>> *Subject:* Re: [cas-user] Rest API Service Ticket Validation Issue >>> >>> Ok that may work, is that the recommended way to verify service tickets >>> for the Rest API (Without using the php client) or should I not be relying >>> on the actual client? >>> >>> On Friday, June 17, 2016 at 2:49:08 PM UTC-4, Dmitriy Kopylenko wrote: >>> >>> By the time the /serviceValidate with ST is called, the ST lifetime has >>> expired (10 seconds default). Increase the ST TTL on the CAS server to >>> something longer, but reasonable and see if it helps. >>> >>> Best, >>> >>> D. >>> >>> On Jun 17, 2016, at 2:44 PM, John Stevens II <[email protected]> wrote: >>> >>> Need some insight on how to properly use the Rest API. >>> >>> I have a simple php application below castest.php: >>> >>> <?php >>> >>> require_once '/var/www/sites/CAS-1.3.4/CAS.php'; >>> >>> phpCAS::setDebug(); >>> >>> // Enable verbose error messages. Disable in production! >>> >>> phpCAS::setVerbose(true); >>> >>> // Initialize phpCAS >>> >>> phpCAS::client(CAS_VERSION_2_0, 'access.example.com', 443, '/cas'); >>> >>> >>> phpCAS::setNoCasServerValidation(); >>> >>> // force CAS authentication >>> >>> phpCAS::forceAuthentication(); >>> >>> echo "It worked"; >>> >>> ?> >>> >>> >>> Visiting the php page in the browser works with no problem, I'm able to >>> authenticate and access the content with no problem. >>> >>> I can post to my post server rest url to get my TGT: >>> >>> Posting form data: >>> >>> username=Randomuser&password=Randompassword >>> >>> To: >>> >>> <https://access.example.com/cas/v1/tickets>https://access.example.com/ >>> cas/v1/tickets >>> >>> >>> Data (TGT) returned is: >>> >>> >>> <https://access.example.com/cas/v1/tickets/TGT-19-MKJRShaS2EebhGB3HHbZabi6O0I2KeSgWkXz3xGvKjamJgqi5M-cas2.example.com> >>> https://access.example.com/cas/v1/tickets/ >>> TGT-19-MKJRShaS2EebhGB3HHbZabi6O0I2KeSgWkXz3xGvKjamJgqi5M-cas2.example.com >>> >>> >>> Now I take my TGT url and post my service to get my ST: >>> >>> Posting form data: >>> >>> service=http%3A%2F%2Ftest.example.com <http://2ftest.example.com> >>> %2Fcastest.php >>> >>> >>> To: >>> >>> >>> <https://access.example.com/cas/v1/tickets/TGT-19-MKJRShaS2EebhGB3HHbZabi6O0I2KeSgWkXz3xGvKjamJgqi5M-cas2.example.com> >>> https://access.example.com/cas/v1/tickets/ >>> TGT-19-MKJRShaS2EebhGB3HHbZabi6O0I2KeSgWkXz3xGvKjamJgqi5M-cas2.example.com >>> >>> >>> Data (ST) returned is: >>> >>> 0000: 53 54 2D 32 31 2D 79 47 59 69 57 6E 63 45 62 65 | ST-21-yGYiWncEbe >>> | >>> >>> 0010: 70 78 78 71 33 4B 6E 78 4F 52 2D 63 61 73 32 2E | pxxq3KnxOR-cas2. >>> | >>> >>> 0020: 69 6E 6D 61 72 2E 63 6F 6D | example.com | >>> >>> >>> All is good so far, I have my TGT and ST now I should be able to access >>> my castest.php site so I do a get request on this url with my ticket as a >>> parameter: >>> >>> Get: >>> >>> >>> <http://test.example.com/castest.php?ticket=ST-21-yGYiWncEbepxxq3KnxOR-cas2.example.com> >>> http://test.example.com/castest.php?ticket= >>> ST-21-yGYiWncEbepxxq3KnxOR-cas2.example.com >>> >>> >>> Error is returned: >>> >>> <html><head><title>CAS Authentication >>> failed!</title></head><body><h1>CAS Authentication failed!</h1><p>You were >>> not authenticated.</p><p>You may submit your request again by clicking <a >>> href=" >>> <http://test.example.com/castest.php>http://test.example.com/castest.php";>here</a>.</p><p>If >>> >>> the problem persists, you may contact <a href="mailto:ro...@localhost";>the >>> administrator of this site</a>.</p><hr><address>phpCAS 1.3.4 using server >>> <a href=" <https://access.example.com/cas/>https://access.example >>> .com/cas/"> <https://access.example.com/cas/>https://access. >>> example.com/cas/</a> (CAS 2.0)</a></address></body></html><br /> >>> >>> <b>Fatal error</b>: Uncaught exception 'CAS_AuthenticationException' in >>> /var/www/sites/vmbuild/CAS-1.3.4/CAS/Client.php:3234 >>> >>> Stack trace: >>> >>> #0 /var/www/sites/vmbuild/CAS-1.3.4/CAS/Client.php(1419): >>> CAS_Client->validateCAS20('https://access....', >>> '\n\n<cas:serviceR...', Object(DOMElement), false) >>> >>> #1 /var/www/sites/vmbuild/CAS-1.3.4/CAS.php(1127): >>> CAS_Client->isAuthenticated() >>> >>> #2 /var/www/sites/vmbuild/castest.php(21): phpCAS::isAuthenticated() >>> >>> #3 {main} >>> >>> thrown in <b>/var/www/sites/vmbuild/CAS-1.3.4/CAS/Client.php</b> on line >>> <b>3234</b><br /> >>> >>> >>> Other things i've tried were to use the validation url to validate the >>> ticket that way but it says the ticket is not reconigzed: >>> >>> Get or Post: >>> >>> >>> <https://access.example.com/cas/serviceValidate?service=http%3A%2F%2Ftest.example.com%2Fcastest.php&ticket=ST-21-yGYiWncEbepxxq3KnxOR-cas2.example.com> >>> https://access.example.com/cas/serviceValidate?service=http%3A%2F% >>> 2Ftest.example.com%2Fcastest.php&ticket= >>> ST-21-yGYiWncEbepxxq3KnxOR-cas2.example.com >>> >>> Returned: >>> >>> <cas:serviceResponse xmlns:cas=" <http://www.yale.edu/tp/cas> >>> http://www.yale.edu/tp/cas";> >>> >>> <cas:authenticationFailure code="INVALID_TICKET"> >>> >>> Ticket 'ST-21-yGYiWncEbepxxq3KnxOR-cas2.example.com >>> <http://st-21-ygyiwncebepxxq3knxor-cas2.example.com>' not recognized >>> >>> </cas:authenticationFailure> >>> >>> </cas:serviceResponse> >>> >>> >>> >>> Just need to validate service tickets with/for the REST API any help >>> would be appreciated. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To post to this group, send email to [email protected]. >>> Visit this group at >>> <https://groups.google.com/a/apereo.org/group/cas-user/> >>> https://groups.google.com/a/apereo.org/group/cas-user/. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/f68da54d-dde3-4f88-8428-7ca9eff54d72%40apereo.org >>> >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/f68da54d-dde3-4f88-8428-7ca9eff54d72%40apereo.org?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit >>> <https://groups.google.com/a/apereo.org/d/optout> >>> https://groups.google.com/a/apereo.org/d/optout. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To post to this group, send email to [email protected]. >>> Visit this group at >>> https://groups.google.com/a/apereo.org/group/cas-user/. >>> To view this discussion on the web visit >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/daf30452-61dd-4187-9ebd-dfc17de37404%40apereo.org?utm_medium=email&utm_source=footer> >>> https://groups.google.com/a/ >>> apereo.org/d/msgid/cas-user/daf30452-61dd-4187-9ebd-dfc17de37404%40apereo.org >>> . >>> For more options, visit https://groups.google.com/a/apereo.org/d/optout. >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> Visit this group at >> https://groups.google.com/a/apereo.org/group/cas-user/. >> To view this discussion on the web visit >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/6019fd5b-6795-400e-9bc4-fbd4486f12e6%40apereo.org?utm_medium=email&utm_source=footer> >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6019fd5b-6795-400e-9bc4-fbd4486f12e6%40apereo.org >> . >> For more options, visit https://groups.google.com/a/apereo.org/d/optout. >> >> >> -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To post to this group, send email to [email protected] <javascript:>. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > . > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/318d0846-f1b6-4155-8d86-ded2013d2391%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/318d0846-f1b6-4155-8d86-ded2013d2391%40apereo.org?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/a/apereo.org/d/optout. > > -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d0560d02-aa00-47e0-929c-430f117cde0a%40apereo.org. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
