I don’t know what far off would be to you. See https://github.com/apereo/cas/milestones
Basically, examine how 5 works. Make sure it actually works! Then port back. It will probably be easier if you just started with 5 now and tested it. M2 is now available. From: [email protected] [mailto:[email protected]] On Behalf Of John Stevens II Sent: Tuesday, June 21, 2016 11:09 AM To: CAS Community <[email protected]> Cc: [email protected] Subject: Re: [cas-user] Rest API Service Ticket Validation Issue Misagh, If the release date for version 5 is far off then I wouldn't mind doing the work, otherwise i'd wait. If so then a point in the right direction in respect to the changes that need to be made would be helpful. Thanks On Tuesday, June 21, 2016 at 10:59:46 AM UTC-4, Misagh Moayyed wrote: It can be done. There are no plans to port this back, but if you’re willing to do the work that’s perfectly fine. From: [email protected] <javascript:> [mailto:[email protected] <javascript:> ] On Behalf Of John Stevens II Sent: Monday, June 20, 2016 2:21 PM To: CAS Community <[email protected] <javascript:> > Cc: [email protected] <javascript:> Subject: Re: [cas-user] Rest API Service Ticket Validation Issue So I enabled oauth support but it looks like the user will be required to login via the GUI. I do see in the development branch (CAS OAuth Dev Link <https://apereo.github.io/cas/development/installation/OAuth-OpenId-Authentication.html> ) for v5 that you can specify grant_type and use resource owner to return an access token. Can this be done in v4? Would love to use this option. On Monday, June 20, 2016 at 10:55:33 AM UTC-4, Misagh Moayyed wrote: You’re thinking about this the right way; just not execution wise. You can have an ST be valid multiple times of course as this is controlled by its policy. However, what you’re really doing is treating an ST like an OAuth access token, which it isn’t….or it’s not meant to be. Your better options are to use proxying where you get a PGT, and you get PTs based on that PGT you get. (The PGT becomes your access token). Or you just use the OAuth support...or some other form of non-interactive AuthN. From: [email protected] <mailto:[email protected]> [mailto:[email protected]] On Behalf Of John Stevens II Sent: Monday, June 20, 2016 7:04 AM To: CAS Community <[email protected] <mailto:[email protected]> > Cc: [email protected] <mailto:[email protected]> Subject: Re: [cas-user] Rest API Service Ticket Validation Issue My thinking is if I have developers who build API's and want to integrate CAS (not for sso but for centralized authentication) then a user who wants to use the developers API would authenticate with CAS via the CAS Rest API, possibly request an ST then use that ST to access the developers API on every call to the developers API. I say every call (multiple times) because you would need a way to verify that the user session is still valid right? Otherwise you would have to authenticate the user on every call to the developers API vs just verifying a ticket. Maybe i'm thinking about this the wrong way? On Monday, June 20, 2016 at 9:23:38 AM UTC-4, Misagh Moayyed wrote: Why multiple times? What's the story there? --Misagh On Sun, Jun 19, 2016 at 2:29 PM, John Stevens II <[email protected] <mailto:[email protected]> > wrote: Well not necessarily a third application, all I really want to accomplish here is to be able to authenticate a user via CAS rest api (which I can), be a able validate that user via CAS rest api multiple times (which I can't) and be able to log the user out via CAS rest api (which I can). Is proxying necessary for this functionality? On Friday, June 17, 2016 at 4:41:47 PM UTC-4, Ray Bon wrote: A ST is (should be) validated only once and for only one service. Each service will go through the CAS dance passing in the TGT and service URL to receive its own ST. If a third application needs to authenticate to your API, look at proxying, https://apereo.github.io/cas/4.2.x/installation/Configuring-Proxy-Authentication.html Ray On 2016-06-17 13:12, John Stevens II wrote: Thank you, I've increased the service ticket timeout value and was able to validate a ticket via /serviceValidate but I can only validate the ticket once. If I am using the CAS Rest API to authenticate API's that we develop I would want to verify that the service ticket is valid on every call to our API's. How do I achieve this or is there another recommended way to achieve this? I see the option st.numOfUses for service tickets but not sure if unlimited is a valid option or if it's even recommended. On Friday, June 17, 2016 at 3:42:22 PM UTC-4, Misagh Moayyed wrote: /serviceValidate. From: [email protected] <mailto:[email protected]> [mailto:[email protected]] On Behalf Of John Stevens II Sent: Friday, June 17, 2016 12:10 PM To: CAS Community <[email protected] <mailto:[email protected]> > Cc: [email protected] <mailto:[email protected]> ; [email protected] <mailto:[email protected]> Subject: Re: [cas-user] Rest API Service Ticket Validation Issue Ok that may work, is that the recommended way to verify service tickets for the Rest API (Without using the php client) or should I not be relying on the actual client? On Friday, June 17, 2016 at 2:49:08 PM UTC-4, Dmitriy Kopylenko wrote: By the time the /serviceValidate with ST is called, the ST lifetime has expired (10 seconds default). Increase the ST TTL on the CAS server to something longer, but reasonable and see if it helps. Best, D. On Jun 17, 2016, at 2:44 PM, John Stevens II <[email protected] <mailto:[email protected]> > wrote: Need some insight on how to properly use the Rest API. I have a simple php application below castest.php: <?php require_once '/var/www/sites/CAS-1.3.4/CAS.php'; phpCAS::setDebug(); // Enable verbose error messages. Disable in production! phpCAS::setVerbose(true); // Initialize phpCAS phpCAS::client(CAS_VERSION_2_0, 'access.example.com <http://access.example.com> ', 443, '/cas'); phpCAS::setNoCasServerValidation(); // force CAS authentication phpCAS::forceAuthentication(); echo "It worked"; ?> Visiting the php page in the browser works with no problem, I'm able to authenticate and access the content with no problem. I can post to my post server rest url to get my TGT: Posting form data: username=Randomuser&password=Randompassword To: https://access.example.com/cas/v1/tickets Data (TGT) returned is: https://access.example.com/cas/v1/tickets/TGT-19-MKJRShaS2EebhGB3HHbZabi6O0I2KeSgWkXz3xGvKjamJgqi5M-cas2.example.com <http://TGT-19-MKJRShaS2EebhGB3HHbZabi6O0I2KeSgWkXz3xGvKjamJgqi5M-cas2.example.com> Now I take my TGT url and post my service to get my ST: Posting form data: service=http%3A%2F%2Ftest.example.com <http://2ftest.example.com> %2Fcastest.php To: https://access.example.com/cas/v1/tickets/TGT-19-MKJRShaS2EebhGB3HHbZabi6O0I2KeSgWkXz3xGvKjamJgqi5M-cas2.example.com <http://TGT-19-MKJRShaS2EebhGB3HHbZabi6O0I2KeSgWkXz3xGvKjamJgqi5M-cas2.example.com> Data (ST) returned is: 0000: 53 54 2D 32 31 2D 79 47 59 69 57 6E 63 45 62 65 | ST-21-yGYiWncEbe | 0010: 70 78 78 71 33 4B 6E 78 4F 52 2D 63 61 73 32 2E | pxxq3KnxOR-cas2. | 0020: 69 6E 6D 61 72 2E 63 6F 6D | example.com <http://example.com> | All is good so far, I have my TGT and ST now I should be able to access my castest.php site so I do a get request on this url with my ticket as a parameter: Get: http://test.example.com/castest.php?ticket=ST-21-yGYiWncEbepxxq3KnxOR-cas2.example.com <http://ST-21-yGYiWncEbepxxq3KnxOR-cas2.example.com> Error is returned: <html><head><title>CAS Authentication failed!</title></head><body><h1>CAS Authentication failed!</h1><p>You were not authenticated.</p><p>You may submit your request again by clicking <a href="http://test.example.com/castest.php";>here</a>.</p><p>If the problem persists, you may contact <a href="mailto:ro...@localhost";>the administrator of this site</a>.</p><hr><address>phpCAS 1.3.4 using server <a href="https://access.example.com/cas/";>https://access.example.com/cas/ <http://example.com/cas/> </a> (CAS 2.0)</a></address></body></html><br /> <b>Fatal error</b>: Uncaught exception 'CAS_AuthenticationException' in /var/www/sites/vmbuild/CAS-1.3.4/CAS/Client.php:3234 Stack trace: #0 /var/www/sites/vmbuild/CAS-1.3.4/CAS/Client.php(1419): CAS_Client->validateCAS20('https://access....', '\n\n<cas:serviceR...', Object(DOMElement), false) #1 /var/www/sites/vmbuild/CAS-1.3.4/CAS.php(1127): CAS_Client->isAuthenticated() #2 /var/www/sites/vmbuild/castest.php(21): phpCAS::isAuthenticated() #3 {main} thrown in <b>/var/www/sites/vmbuild/CAS-1.3.4/CAS/Client.php</b> on line <b>3234</b><br /> Other things i've tried were to use the validation url to validate the ticket that way but it says the ticket is not reconigzed: Get or Post: https://access.example.com/cas/serviceValidate?service=http%3A%2F%2Ftest.example.com <http://2Ftest.example.com> %2Fcastest.php&ticket=ST-21-yGYiWncEbepxxq3KnxOR-cas2.example.com <http://ST-21-yGYiWncEbepxxq3KnxOR-cas2.example.com> Returned: <cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas";> <cas:authenticationFailure code="INVALID_TICKET"> Ticket 'ST-21-yGYiWncEbepxxq3KnxOR-cas2.example.com <http://st-21-ygyiwncebepxxq3knxor-cas2.example.com> ' not recognized </cas:authenticationFailure> </cas:serviceResponse> Just need to validate service tickets with/for the REST API any help would be appreciated. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To post to this group, send email to [email protected] <mailto:[email protected]> . Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ <http://apereo.org/group/cas-user/> . To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f68da54d-dde3-4f88-8428-7ca9eff54d72%40apereo.org <https://groups.google.com/a/apereo.org/d/msgid/cas-user/f68da54d-dde3-4f88-8428-7ca9eff54d72%40apereo.org?utm_medium=email&utm_source=footer> . For more options, visit https://groups.google.com/a/apereo.org/d/optout <http://apereo.org/d/optout> . -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To post to this group, send email to [email protected] <mailto:[email protected]> . Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/daf30452-61dd-4187-9ebd-dfc17de37404%40apereo.org <http://apereo.org/d/msgid/cas-user/daf30452-61dd-4187-9ebd-dfc17de37404%40apereo.org> . For more options, visit https://groups.google.com/a/apereo.org/d/optout. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To post to this group, send email to [email protected] <mailto:[email protected]> . Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6019fd5b-6795-400e-9bc4-fbd4486f12e6%40apereo.org. For more options, visit https://groups.google.com/a/apereo.org/d/optout. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To post to this group, send email to [email protected] <mailto:[email protected]> . Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/318d0846-f1b6-4155-8d86-ded2013d2391%40apereo.org <https://groups.google.com/a/apereo.org/d/msgid/cas-user/318d0846-f1b6-4155-8d86-ded2013d2391%40apereo.org?utm_medium=email&utm_source=footer> . For more options, visit https://groups.google.com/a/apereo.org/d/optout. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To post to this group, send email to [email protected] <mailto:[email protected]> . Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d0560d02-aa00-47e0-929c-430f117cde0a%40apereo.org <https://groups.google.com/a/apereo.org/d/msgid/cas-user/d0560d02-aa00-47e0-929c-430f117cde0a%40apereo.org?utm_medium=email&utm_source=footer> . For more options, visit https://groups.google.com/a/apereo.org/d/optout. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <javascript:> . To post to this group, send email to [email protected] <javascript:> . Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ff062091-e5fb-4c39-9bb9-f3c08c4830e7%40apereo.org <https://groups.google.com/a/apereo.org/d/msgid/cas-user/ff062091-e5fb-4c39-9bb9-f3c08c4830e7%40apereo.org?utm_medium=email&utm_source=footer> . For more options, visit https://groups.google.com/a/apereo.org/d/optout. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To post to this group, send email to [email protected] <mailto:[email protected]> . Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/75332a10-7e0c-4878-84ec-98a877815389%40apereo.org <https://groups.google.com/a/apereo.org/d/msgid/cas-user/75332a10-7e0c-4878-84ec-98a877815389%40apereo.org?utm_medium=email&utm_source=footer> . For more options, visit https://groups.google.com/a/apereo.org/d/optout. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/016801d1cbe8%24e230b870%24a6922950%24%40unicon.net. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
