sorry I made some mistakes in the previous reply, let me clarify what I
have found now:
Now in the client side(example_proxy_GET.php) I am able to generate the log
for each access from the browser.
And I found that when the client is trying to validate the service +
ticket, the CAS server response INVALID_PROXY_CALLBACK
What will be the possible cause for this?
Thank you VERY VERY MUCH to help me solve this issue, this problem has been
confusing me for a week.
This is the log after 2nd login(first log in attempt is failed, then I
click refresh to renew a ticket):
1C47 .START (2019-08-02 14:39:33) phpCAS-1.3.7 ******************
[CAS.php:475]
1C47 .=> phpCAS::proxy('3.0', 'MY_CAS_SERVER', 443, '/cas') [index.php:8]
1C47 .| => CAS_Client::__construct('3.0', true, 'MY_CAS_SERVER', 443,
'/cas', true) [CAS.php:410]
1C47 .| | Starting a new session f9ac10f86d86edb204698c756da2059a
[Client.php:932]
1C47 .| | Session is not authenticated [Client.php:938]
1C47 .| | Ticket 'ST-2233404-pk47Ke1WYLFJ4tGiS0YswQZy3Nocas2' found
[Client.php:1015]
1C47 .| <= ''
1C47 .<= ''
1C47 .=> phpCAS::setNoCasServerValidation() [index.php:9]
1C47 .| You have configured no validation of the legitimacy of the cas
server. This is not recommended for production use. [CAS.php:1664]
1C47 .<= ''
1C47 .=> phpCAS::forceAuthentication() [index.php:11]
1C47 .| => CAS_Client::forceAuthentication() [CAS.php:1120]
1C47 .| | => CAS_Client::isAuthenticated() [Client.php:1275]
1C47 .| | | => CAS_Client::_wasPreviouslyAuthenticated() [Client.php:1387]
1C47 .| | | | neither user nor PGT found [Client.php:1606]
1C47 .| | | <= false
1C47 .| | | CAS 3.0 ticket `ST-2233404-pk47Ke1WYLFJ4tGiS0YswQZy3Nocas2' is
present [Client.php:1440]
1C47 .| | | => CAS_Client::validateCAS20('', NULL, NULL, false)
[Client.php:1443]
1C47 .| | | | [Client.php:3159]
1C47 .| | | | => CAS_Client::getServerServiceValidateURL() [Client.php:3165]
1C47 .| | | | | => CAS_Client::getURL() [Client.php:453]
1C47 .| | | | | | Final URI: MY_CLIENT_URL [Client.php:3528]
1C47 .| | | | | <= 'https://MY_CLIENT/test/'
1C47 .| | | | <=
'https://MY_CAS_SERVER/cas/p3/serviceValidate?service=MY_CLIENT'
1C47 .| | | | =>
CAS_Client::_readURL('https://MY_CAS_SERVER/cas/p3/serviceValidate?service=MY_CLIENT_URL&ticket=ST-2233404-pk47Ke1WYLFJ4tGiS0YswQZy3Nocas2&pgtUrl=MY_CLIENT',
NULL, NULL, NULL) [Client.php:3180]
1C47 .| | | | | => CAS_Request_CurlRequest::sendRequest()
[AbstractRequest.php:242]
1C47 .| | | | | | Response Body:
1C47 .| | | | | | <cas:serviceResponse
xmlns:cas='http://www.yale.edu/tp/cas'>
1C47 .| | | | | | <cas:authenticationFailure
code="INVALID_PROXY_CALLBACK">The supplied proxy callback url
'MY_CLIENT_URL' could not be authenticated. Either
'MY_CLIENT_URL' cannot be reached, it is not allowed to exercise
proxy authentication.</cas:authenticationFailure>
1C47 .| | | | | | </cas:serviceResponse>
1C47 .| | | | | |
1C47 .| | | | | | [CurlRequest.php:84]
1C47 .| | | | | <= true
1C47 .| | | | <= true
1C47 .| | | | => CAS_AuthenticationException::__construct(CAS_Client,
'Ticket not validated',
'https://MY_CAS_SERVER/cas/p3/serviceValidate?service=MY_CLIENT_URL&ticket=ST-2233404-pk47Ke1WYLFJ4tGiS0YswQZy3Nocas2&pgtUrl=MY_CLIENT_URL',
false, false, '<cas:serviceResponse
xmlns:cas=\'http://www.yale.edu/tp/cas\'> <cas:authenticationFailure
code="INVALID_PROXY_CALLBACK">The supplied proxy callback url
'MY_CLIENT_URL' could not be authenticated. Either
'MY_CLIENT_URL' cannot be reached, it is not allowed to exercise
proxy authentication.</cas:authenticationFailure></cas:serviceResponse>',
'INVALID_PROXY_CALLBACK', 'The supplied proxy callback url
\'MY_CLIENT_URL\' could not be authenticated. Either \'MY_CLIENT_URL\'
cannot be reached, it is not allowed to exercise proxy authentication.')
[Client.php:3226]
1C47 .| | | | | => CAS_Client::getURL() [AuthenticationException.php:77]
1C47 .| | | | | <= 'MY_CLIENT_URL'
1C47 .| | | | | CAS URL:
https://MY_CAS_SERVER/cas/p3/serviceValidate?service=MY_CLIENT_URL&ticket=ST-2233404-pk47Ke1WYLFJ4tGiS0YswQZy3Nocas2&pgtUrl=MY_CLIENT_URL
[AuthenticationException.php:80]
1C47 .| | | | | Authentication failure: Ticket not validated
[AuthenticationException.php:81]
1C47 .| | | | | Reason: [INVALID_PROXY_CALLBACK] CAS error: The supplied
proxy callback url 'MY_CLIENT_URL' could not be authenticated. Either
'MY_CLIENT_URL/' cannot be reached, it is not allowed to exercise proxy
authentication. [AuthenticationException.php:97]
1C47 .| | | | | CAS response: <cas:serviceResponse
xmlns:cas='http://www.yale.edu/tp/cas'>
1C47 .| | | | | <cas:authenticationFailure
code="INVALID_PROXY_CALLBACK">The supplied proxy callback url
'MY_CLIENT_URL' could not be authenticated. Either
'MY_CLIENT_URL' cannot be reached, it is not allowed to exercise
proxy authentication.</cas:authenticationFailure>
1C47 .| | | | | </cas:serviceResponse>
1C47 .| | | | | [AuthenticationException.php:102]
1C47 .| | | | | exit()
1C47 .| | | | | -
1C47 .| | | | -
1C47 .| | | -
On Friday, 2 August 2019 13:12:32 UTC+8, Doug C wrote:
>
> This is probably the same issue as the debug.log files. The web server
> must have the ability to read/write the location where the proxy granting
> tickets are stored. There is probably some indication of this in the
> debug.log.
>
>
>
> OR
>
>
>
> Did you configure the CAS server to allow this service to proxy
> authentication? See
> https://apereo.github.io/cas/5.0.x/installation/Configuring-Service-Proxy-Policy.html
> .
>
>
>
>
>
> *From:* [email protected] <javascript:> [mailto:[email protected]
> <javascript:>] *On Behalf Of *Daniel Hui
> *Sent:* Friday, August 2, 2019 11:31 AM
> *To:* CAS Community <[email protected] <javascript:>>
> *Subject:* Re: [cas-user] Newbie question, about CAS proxy and phpCAS
>
>
>
> I have checked the log by directly calling the
> client(example_proxy_GET.php)
>
> And the problem is when the proxy trying to send the service URL to
> register in the CAS server, the pgt is missing, any hints to solve this
> problem?
>
> https://MY_CAS_SERVER/cas/proxy?targetService=MY_API_URL&pgt=
> <https://cas.ust.hk/cas/proxy?targetService=https%3A%5C%2F%5C%2Flbnx28.ust.hk%3A8002%5C%2Fapi%5C%2F&pgt=>
>
> On Friday, 2 August 2019 11:24:23 UTC+8, Doug C wrote:
>
> Perhaps your web server doesn’t have write permissions to the location
> your debug.log is being written. Usually it is a good idea to create a
> subdirectory that gives such rights to the web server and then tell the
> script to put the debug.log there. I think a simple work around for the
> time being would be to change the permissions on the current debug.log file
> to give the web server ownership of it. If the file doesn’t exist yet,
> touch it, and then transfer ownership.
>
>
>
> *From:* [email protected] [mailto:[email protected]] *On Behalf Of *Daniel
> Hui
> *Sent:* Friday, August 2, 2019 11:18 AM
> *To:* CAS Community <[email protected]>
> *Subject:* Re: [cas-user] Newbie question, about CAS proxy and phpCAS
>
>
>
> example_simple.php script does run for me with CAS version 3.0. And the
> debug info doesn't log the request if I am accessing using the URL, it only
> logs the request if I run it directly using php in the console. Any hints?
> Or do I need other things to set up properly?
>
> On Friday, 2 August 2019 11:14:12 UTC+8, Doug C wrote:
>
> Did you first get the example_simple.php script working? If not, do that
> first. If you have I have often found that looking in the debug.log
> informs me as to what is going wrong and would suggest you look there.
> Also, I don’t think you mentioned which version of the CAS server you are
> running. If you are running an older version of the CAS server, you may
> not be running version 3.0 of the CAS protocol.
>
>
>
> *From:* [email protected] [mailto:[email protected]] *On Behalf Of *Daniel
> Hui
> *Sent:* Friday, August 2, 2019 11:10 AM
> *To:* CAS Community <[email protected]>
> *Subject:* Re: [cas-user] Newbie question, about CAS proxy and phpCAS
>
>
>
> Thanks for the advice, I am trying those scripts, but they are not
> working, do I miss something?
>
>
>
> Here is my code, with some modifications for the original examples
>
> example_proxy_GET.php:
>
> <?php
> require_once('../vendor/autoload.php');
> require_once('config.php');
> $filename = 'debug.log';
> phpCAS::setDebug($filename);
> phpCAS::setVerbose(true);
> phpCAS::proxy(CAS_VERSION_3_0, $cas_host, $cas_port, $cas_context);
> phpCAS::setNoCasServerValidation();
> phpCAS::forceAuthentication(); //it shows me authentication fails at this
> line of code
> flush();
> try {
> $service = phpCAS::getProxiedService(PHPCAS_PROXIED_SERVICE_HTTP_GET);
> $service->setUrl("my_API_URL");//change it to my API URL to call the API
> $service->send();
> if ($service->getResponseStatusCode() == 200) {
> echo '<div class="success">';
> echo $service->getResponseBody();
> echo '</div>';
> } else {
> echo '<div class="error">';
> echo 'The service responded with a '
> . $service->getResponseStatusCode() . ' error.';
> echo '</div>';
> }
> } catch (CAS_ProxyTicketException $e) {
> if ($e->getCode() == PHPCAS_SERVICE_PT_FAILURE) {
> echo '<div class="error">';
> echo "Your login has timed out. You need to log in again.";
> echo '</div>';
> } else {
> throw $e;
> }
> } catch (CAS_ProxiedService_Exception $e) {
> echo "test";
> throw $e;
> }
> ?>
> </body>
> </html>
>
>
>
> example_service.php:(if I just call this directly, it works)
>
> <?php
> require_once '../test/config.php';
> require_once('../vendor/autoload.php');
> $filename = 'debug.log';
> echo "TEST">$filename;
> phpCAS::setDebug($filename);
> phpCAS::setVerbose(true);
> phpCAS::client(CAS_VERSION_3_0, $cas_host, $cas_port, $cas_context);
> //load from config
> phpCAS::setNoCasServerValidation();
> phpCAS::forceAuthentication();
> //phpCAS::allowProxyChain(new CAS_ProxyChain_Any); //I have disabled this
> because I do not need to chain this service to another service
> echo '<p>The user\'s login is <b>' . phpCAS::getUser() . '</b>.</p>';
> // increment the number of requests of the session and print it
> if (!isset($_SESSION['n'])) {
> $_SESSION['n'] = 0;
> }
> echo '<p>request #' . (++$_SESSION['n']) . '</p>';
> ?>
>
>
>
> Thanks for your kind help and quick reply
>
>
> On Friday, 2 August 2019 10:57:15 UTC+8, Doug C wrote:
>
> Daniel,
>
>
>
> I would recommend “getting your feet wet” first by working with the
> example_simple.php script. Make sure to get this one working with your CAS
> server first and then build from there by working with the
> example_service.php which could act like your CAS protected API service and
> example_proxy_GET.php which could act like the client wanting to access
> your API.
>
>
>
> Doug
>
>
>
> *From:* [email protected] [mailto:[email protected]] *On Behalf Of *Daniel
> Hui
> *Sent:* Friday, August 2, 2019 10:50 AM
> *To:* CAS Community <[email protected]>
> *Subject:* Re: [cas-user] Newbie question, about CAS proxy and phpCAS
>
>
>
> Hi Doug,
>
> May I know which examples suit the use for me? One script for the API and
> another one for the Proxy. Thanks.
>
> On Friday, 2 August 2019 10:47:02 UTC+8, Doug C wrote:
>
> Daniel,
>
>
>
> Have you taken a lot at the phpCAS examples at
> https://github.com/apereo/phpCAS/tree/master/docs/examples? They are
> really detailed with a lot of comments explaining what is happening and
> even mentioning what things should be for testing and what should be
> removed when deploying in a production environment.
>
>
>
> Doug
>
>
>
> *From:* [email protected] [mailto:[email protected]] *On Behalf Of *Daniel
> Hui
> *Sent:* Friday, August 2, 2019 10:01 AM
> *To:* CAS Community <[email protected]>
> *Subject:* [cas-user] Newbie question, about CAS proxy and phpCAS
>
>
>
> Hey guys, I am building an API that requires CAS authentication, and the
> client which calls the API also needs the CAS authentication. After some
> Googling, I find out the proxy function suits my use and I want to
> implement it using phpCAS in my API and also build a simulate client to
> test my API for CAS authentication. But I cannot find any pratical example
> on the internet. May I get some help from you guys to show me some examples
> to implement this? I need some kind of clear logic and clear codes to help
> me understand this. I do not fully understand what is a CAS proxy, and what
> can it do.
>
>
>
>
> https://apereo.github.io/cas/5.0.x/installation/Configuring-Proxy-Authentication.html
>
>
>
> p.s.: I have CAS implementation experience before, which build a website
> that supports CAS.
>
>
>
> Thanks for the help
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/17c31784-1dd3-43ac-8989-14df184e425f%40apereo.org
>
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/17c31784-1dd3-43ac-8989-14df184e425f%40apereo.org?utm_medium=email&utm_source=footer>
> .
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/748f5d63-9018-48ce-a372-925eac316126%40apereo.org
>
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/748f5d63-9018-48ce-a372-925eac316126%40apereo.org?utm_medium=email&utm_source=footer>
> .
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/f8d7b972-42a3-46fc-b4e9-e3f283b14e6c%40apereo.org
>
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/f8d7b972-42a3-46fc-b4e9-e3f283b14e6c%40apereo.org?utm_medium=email&utm_source=footer>
> .
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/83f6f0e5-ba53-4c45-af43-033e651165df%40apereo.org
>
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/83f6f0e5-ba53-4c45-af43-033e651165df%40apereo.org?utm_medium=email&utm_source=footer>
> .
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected] <javascript:>.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c0c542ea-9fd0-44ea-8264-f6f8399cf099%40apereo.org
>
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/c0c542ea-9fd0-44ea-8264-f6f8399cf099%40apereo.org?utm_medium=email&utm_source=footer>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/35ccca93-d6d8-4a80-9079-03ebd33f7e29%40apereo.org.
