That is the purpose of tools like CAS. Let it manage user authentication. Some application (client in OAUTH) will interact with your API. There is CAS proxy protocol for this. Client app interacts with CAS for log in; when it wants to call your API, it gets a proxy ticket and sends it to your API; your API validates the ticket and does what it does.
You can also checkout OIDC and OAUTH for an alternative approach using tokens. Your idea is sound. But you do not need to reinvent access methods. Ray On Thu, 2019-05-16 at 10:31 -0700, Tõnis Ostrat wrote: I strongly discourage you from asking a user for credentials How do you propose then that I have my users authenticate themselves to be able to use my API if it's a completely standalone back-end service with no GUI? On Thursday, May 16, 2019 at 6:20:09 PM UTC+3, rbon wrote: Tõnis, I strongly discourage you from asking a user for credentials; security, break SSO, etc., etc,. There is a proxy option in CAS, https://apereo.github.io/cas/6.0.x/installation/Configuring-Proxy-Authentication.html If the proxy option does not meet your needs the surely something else under https://apereo.github.io/cas/6.0.x/index.html Authentication | Methods (JWT or PAC4J might be good). You could also try OIDC, https://apereo.github.io/cas/6.0.x/protocol/OIDC-Protocol.html#openid-connect-protocol Ray On Thu, 2019-05-16 at 03:32 -0700, Tõnis Ostrat wrote: Hey, everybody. To preface this, I've tried both googling and looking through the discussions here but still haven't found an answer for the following situation. I'm currently building a back-end service with no web-based nor native GUI and I'm having trouble coming up with a proper way to secure it with CAS (5.3, if that matters). My plan right now is to have an endpoint in my API where the user can POST their credentials which I will forward to CAS's REST API (with the ID of my service) .I will then return the TGT that CAS gives me to the user and on any subsequent data request I will try to extract the same TGT (header, cookie, whatever) and validate it by requesting a ST for my own service from CAS. It works but it sounds a bit stupid because I don't actually do anything with ST, it's just a confirmation call to make sure the TGT is valid. This flow is the one I've managed to piece together basically on my own as the REST API portion of the official documentation is really lacking in my opinion. Is there a better solution to this problem? -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected]<javascript:> -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected] -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e749ed5f243b80aabb4d7f0f924397b19fce9e52.camel%40uvic.ca.
