side note, the CAS server is not operated by me, but I think it has the
proxy function provided
On Friday, 2 August 2019 14:53:49 UTC+8, Daniel Hui wrote:
>
> sorry I made some mistakes in the previous reply, let me clarify what I
> have found now:
> Now in the client side(example_proxy_GET.php) I am able to generate the
> log for each access from the browser.
> And I found that when the client is trying to validate the service +
> ticket, the CAS server response INVALID_PROXY_CALLBACK
> What will be the possible cause for this?
> Thank you VERY VERY MUCH to help me solve this issue, this problem has
> been confusing me for a week.
>
> This is the log after 2nd login(first log in attempt is failed, then I
> click refresh to renew a ticket):
> 1C47 .START (2019-08-02 14:39:33) phpCAS-1.3.7 ******************
> [CAS.php:475]
> 1C47 .=> phpCAS::proxy('3.0', 'MY_CAS_SERVER', 443, '/cas') [index.php:8]
> 1C47 .| => CAS_Client::__construct('3.0', true, 'MY_CAS_SERVER', 443,
> '/cas', true) [CAS.php:410]
> 1C47 .| | Starting a new session f9ac10f86d86edb204698c756da2059a
> [Client.php:932]
> 1C47 .| | Session is not authenticated [Client.php:938]
> 1C47 .| | Ticket 'ST-2233404-pk47Ke1WYLFJ4tGiS0YswQZy3Nocas2' found
> [Client.php:1015]
> 1C47 .| <= ''
> 1C47 .<= ''
> 1C47 .=> phpCAS::setNoCasServerValidation() [index.php:9]
> 1C47 .| You have configured no validation of the legitimacy of the cas
> server. This is not recommended for production use. [CAS.php:1664]
> 1C47 .<= ''
> 1C47 .=> phpCAS::forceAuthentication() [index.php:11]
> 1C47 .| => CAS_Client::forceAuthentication() [CAS.php:1120]
> 1C47 .| | => CAS_Client::isAuthenticated() [Client.php:1275]
> 1C47 .| | | => CAS_Client::_wasPreviouslyAuthenticated() [Client.php:1387]
> 1C47 .| | | | neither user nor PGT found [Client.php:1606]
> 1C47 .| | | <= false
> 1C47 .| | | CAS 3.0 ticket `ST-2233404-pk47Ke1WYLFJ4tGiS0YswQZy3Nocas2' is
> present [Client.php:1440]
> 1C47 .| | | => CAS_Client::validateCAS20('', NULL, NULL, false)
> [Client.php:1443]
> 1C47 .| | | | [Client.php:3159]
> 1C47 .| | | | => CAS_Client::getServerServiceValidateURL()
> [Client.php:3165]
> 1C47 .| | | | | => CAS_Client::getURL() [Client.php:453]
> 1C47 .| | | | | | Final URI: MY_CLIENT_URL [Client.php:3528]
> 1C47 .| | | | | <= 'https://MY_CLIENT/test/'
> 1C47 .| | | | <= '
> https://MY_CAS_SERVER/cas/p3/serviceValidate?service=MY_CLIENT'
> 1C47 .| | | | => CAS_Client::_readURL('
> https://MY_CAS_SERVER/cas/p3/serviceValidate?service=MY_CLIENT_URL&ticket=ST-2233404-pk47Ke1WYLFJ4tGiS0YswQZy3Nocas2&pgtUrl=MY_CLIENT',
>
> NULL, NULL, NULL) [Client.php:3180]
> 1C47 .| | | | | => CAS_Request_CurlRequest::sendRequest()
> [AbstractRequest.php:242]
> 1C47 .| | | | | | Response Body:
> 1C47 .| | | | | | <cas:serviceResponse xmlns:cas='
> http://www.yale.edu/tp/cas'>
> 1C47 .| | | | | | <cas:authenticationFailure
> code="INVALID_PROXY_CALLBACK">The supplied proxy callback url
> 'MY_CLIENT_URL' could not be authenticated. Either
> 'MY_CLIENT_URL' cannot be reached, it is not allowed to exercise
> proxy authentication.</cas:authenticationFailure>
> 1C47 .| | | | | | </cas:serviceResponse>
> 1C47 .| | | | | |
> 1C47 .| | | | | | [CurlRequest.php:84]
> 1C47 .| | | | | <= true
> 1C47 .| | | | <= true
> 1C47 .| | | | => CAS_AuthenticationException::__construct(CAS_Client,
> 'Ticket not validated', '
> https://MY_CAS_SERVER/cas/p3/serviceValidate?service=MY_CLIENT_URL&ticket=ST-2233404-pk47Ke1WYLFJ4tGiS0YswQZy3Nocas2&pgtUrl=MY_CLIENT_URL',
>
> false, false, '<cas:serviceResponse xmlns:cas=\'
> http://www.yale.edu/tp/cas\'> <cas:authenticationFailure
> code="INVALID_PROXY_CALLBACK">The supplied proxy callback url
> 'MY_CLIENT_URL' could not be authenticated. Either
> 'MY_CLIENT_URL' cannot be reached, it is not allowed to exercise
> proxy authentication.</cas:authenticationFailure></cas:serviceResponse>',
> 'INVALID_PROXY_CALLBACK', 'The supplied proxy callback url
> \'MY_CLIENT_URL\' could not be authenticated. Either \'MY_CLIENT_URL\'
> cannot be reached, it is not allowed to exercise proxy authentication.')
> [Client.php:3226]
> 1C47 .| | | | | => CAS_Client::getURL() [AuthenticationException.php:77]
> 1C47 .| | | | | <= 'MY_CLIENT_URL'
> 1C47 .| | | | | CAS URL:
> https://MY_CAS_SERVER/cas/p3/serviceValidate?service=MY_CLIENT_URL&ticket=ST-2233404-pk47Ke1WYLFJ4tGiS0YswQZy3Nocas2&pgtUrl=MY_CLIENT_URL
>
> [AuthenticationException.php:80]
> 1C47 .| | | | | Authentication failure: Ticket not validated
> [AuthenticationException.php:81]
> 1C47 .| | | | | Reason: [INVALID_PROXY_CALLBACK] CAS error: The supplied
> proxy callback url 'MY_CLIENT_URL' could not be authenticated. Either
> 'MY_CLIENT_URL/' cannot be reached, it is not allowed to exercise proxy
> authentication. [AuthenticationException.php:97]
> 1C47 .| | | | | CAS response: <cas:serviceResponse xmlns:cas='
> http://www.yale.edu/tp/cas'>
> 1C47 .| | | | | <cas:authenticationFailure
> code="INVALID_PROXY_CALLBACK">The supplied proxy callback url
> 'MY_CLIENT_URL' could not be authenticated. Either
> 'MY_CLIENT_URL' cannot be reached, it is not allowed to exercise
> proxy authentication.</cas:authenticationFailure>
> 1C47 .| | | | | </cas:serviceResponse>
> 1C47 .| | | | | [AuthenticationException.php:102]
> 1C47 .| | | | | exit()
> 1C47 .| | | | | -
> 1C47 .| | | | -
> 1C47 .| | | -
>
> On Friday, 2 August 2019 13:12:32 UTC+8, Doug C wrote:
>>
>> This is probably the same issue as the debug.log files. The web server
>> must have the ability to read/write the location where the proxy granting
>> tickets are stored. There is probably some indication of this in the
>> debug.log.
>>
>>
>>
>> OR
>>
>>
>>
>> Did you configure the CAS server to allow this service to proxy
>> authentication? See
>> https://apereo.github.io/cas/5.0.x/installation/Configuring-Service-Proxy-Policy.html
>> .
>>
>>
>>
>>
>>
>> *From:* [email protected] [mailto:[email protected]] *On Behalf Of *Daniel
>> Hui
>> *Sent:* Friday, August 2, 2019 11:31 AM
>> *To:* CAS Community <[email protected]>
>> *Subject:* Re: [cas-user] Newbie question, about CAS proxy and phpCAS
>>
>>
>>
>> I have checked the log by directly calling the
>> client(example_proxy_GET.php)
>>
>> And the problem is when the proxy trying to send the service URL to
>> register in the CAS server, the pgt is missing, any hints to solve this
>> problem?
>>
>> https://MY_CAS_SERVER/cas/proxy?targetService=MY_API_URL&pgt=
>> <https://cas.ust.hk/cas/proxy?targetService=https%3A%5C%2F%5C%2Flbnx28.ust.hk%3A8002%5C%2Fapi%5C%2F&pgt=>
>>
>> On Friday, 2 August 2019 11:24:23 UTC+8, Doug C wrote:
>>
>> Perhaps your web server doesn’t have write permissions to the location
>> your debug.log is being written. Usually it is a good idea to create a
>> subdirectory that gives such rights to the web server and then tell the
>> script to put the debug.log there. I think a simple work around for the
>> time being would be to change the permissions on the current debug.log file
>> to give the web server ownership of it. If the file doesn’t exist yet,
>> touch it, and then transfer ownership.
>>
>>
>>
>> *From:* [email protected] [mailto:[email protected]] *On Behalf Of *Daniel
>> Hui
>> *Sent:* Friday, August 2, 2019 11:18 AM
>> *To:* CAS Community <[email protected]>
>> *Subject:* Re: [cas-user] Newbie question, about CAS proxy and phpCAS
>>
>>
>>
>> example_simple.php script does run for me with CAS version 3.0. And the
>> debug info doesn't log the request if I am accessing using the URL, it only
>> logs the request if I run it directly using php in the console. Any hints?
>> Or do I need other things to set up properly?
>>
>> On Friday, 2 August 2019 11:14:12 UTC+8, Doug C wrote:
>>
>> Did you first get the example_simple.php script working? If not, do that
>> first. If you have I have often found that looking in the debug.log
>> informs me as to what is going wrong and would suggest you look there.
>> Also, I don’t think you mentioned which version of the CAS server you are
>> running. If you are running an older version of the CAS server, you may
>> not be running version 3.0 of the CAS protocol.
>>
>>
>>
>> *From:* [email protected] [mailto:[email protected]] *On Behalf Of *Daniel
>> Hui
>> *Sent:* Friday, August 2, 2019 11:10 AM
>> *To:* CAS Community <[email protected]>
>> *Subject:* Re: [cas-user] Newbie question, about CAS proxy and phpCAS
>>
>>
>>
>> Thanks for the advice, I am trying those scripts, but they are not
>> working, do I miss something?
>>
>>
>>
>> Here is my code, with some modifications for the original examples
>>
>> example_proxy_GET.php:
>>
>> <?php
>> require_once('../vendor/autoload.php');
>> require_once('config.php');
>> $filename = 'debug.log';
>> phpCAS::setDebug($filename);
>> phpCAS::setVerbose(true);
>> phpCAS::proxy(CAS_VERSION_3_0, $cas_host, $cas_port, $cas_context);
>> phpCAS::setNoCasServerValidation();
>> phpCAS::forceAuthentication(); //it shows me authentication fails at this
>> line of code
>> flush();
>> try {
>> $service = phpCAS::getProxiedService(PHPCAS_PROXIED_SERVICE_HTTP_GET);
>> $service->setUrl("my_API_URL");//change it to my API URL to call the API
>> $service->send();
>> if ($service->getResponseStatusCode() == 200) {
>> echo '<div class="success">';
>> echo $service->getResponseBody();
>> echo '</div>';
>> } else {
>> echo '<div class="error">';
>> echo 'The service responded with a '
>> . $service->getResponseStatusCode() . ' error.';
>> echo '</div>';
>> }
>> } catch (CAS_ProxyTicketException $e) {
>> if ($e->getCode() == PHPCAS_SERVICE_PT_FAILURE) {
>> echo '<div class="error">';
>> echo "Your login has timed out. You need to log in again.";
>> echo '</div>';
>> } else {
>> throw $e;
>> }
>> } catch (CAS_ProxiedService_Exception $e) {
>> echo "test";
>> throw $e;
>> }
>> ?>
>> </body>
>> </html>
>>
>>
>>
>> example_service.php:(if I just call this directly, it works)
>>
>> <?php
>> require_once '../test/config.php';
>> require_once('../vendor/autoload.php');
>> $filename = 'debug.log';
>> echo "TEST">$filename;
>> phpCAS::setDebug($filename);
>> phpCAS::setVerbose(true);
>> phpCAS::client(CAS_VERSION_3_0, $cas_host, $cas_port, $cas_context);
>> //load from config
>> phpCAS::setNoCasServerValidation();
>> phpCAS::forceAuthentication();
>> //phpCAS::allowProxyChain(new CAS_ProxyChain_Any); //I have disabled this
>> because I do not need to chain this service to another service
>> echo '<p>The user\'s login is <b>' . phpCAS::getUser() . '</b>.</p>';
>> // increment the number of requests of the session and print it
>> if (!isset($_SESSION['n'])) {
>> $_SESSION['n'] = 0;
>> }
>> echo '<p>request #' . (++$_SESSION['n']) . '</p>';
>> ?>
>>
>>
>>
>> Thanks for your kind help and quick reply
>>
>>
>> On Friday, 2 August 2019 10:57:15 UTC+8, Doug C wrote:
>>
>> Daniel,
>>
>>
>>
>> I would recommend “getting your feet wet” first by working with the
>> example_simple.php script. Make sure to get this one working with your CAS
>> server first and then build from there by working with the
>> example_service.php which could act like your CAS protected API service and
>> example_proxy_GET.php which could act like the client wanting to access
>> your API.
>>
>>
>>
>> Doug
>>
>>
>>
>> *From:* [email protected] [mailto:[email protected]] *On Behalf Of *Daniel
>> Hui
>> *Sent:* Friday, August 2, 2019 10:50 AM
>> *To:* CAS Community <[email protected]>
>> *Subject:* Re: [cas-user] Newbie question, about CAS proxy and phpCAS
>>
>>
>>
>> Hi Doug,
>>
>> May I know which examples suit the use for me? One script for the API and
>> another one for the Proxy. Thanks.
>>
>> On Friday, 2 August 2019 10:47:02 UTC+8, Doug C wrote:
>>
>> Daniel,
>>
>>
>>
>> Have you taken a lot at the phpCAS examples at
>> https://github.com/apereo/phpCAS/tree/master/docs/examples? They are
>> really detailed with a lot of comments explaining what is happening and
>> even mentioning what things should be for testing and what should be
>> removed when deploying in a production environment.
>>
>>
>>
>> Doug
>>
>>
>>
>> *From:* [email protected] [mailto:[email protected]] *On Behalf Of *Daniel
>> Hui
>> *Sent:* Friday, August 2, 2019 10:01 AM
>> *To:* CAS Community <[email protected]>
>> *Subject:* [cas-user] Newbie question, about CAS proxy and phpCAS
>>
>>
>>
>> Hey guys, I am building an API that requires CAS authentication, and the
>> client which calls the API also needs the CAS authentication. After some
>> Googling, I find out the proxy function suits my use and I want to
>> implement it using phpCAS in my API and also build a simulate client to
>> test my API for CAS authentication. But I cannot find any pratical example
>> on the internet. May I get some help from you guys to show me some examples
>> to implement this? I need some kind of clear logic and clear codes to help
>> me understand this. I do not fully understand what is a CAS proxy, and what
>> can it do.
>>
>>
>>
>>
>> https://apereo.github.io/cas/5.0.x/installation/Configuring-Proxy-Authentication.html
>>
>>
>>
>> p.s.: I have CAS implementation experience before, which build a website
>> that supports CAS.
>>
>>
>>
>> Thanks for the help
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/17c31784-1dd3-43ac-8989-14df184e425f%40apereo.org
>>
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/17c31784-1dd3-43ac-8989-14df184e425f%40apereo.org?utm_medium=email&utm_source=footer>
>> .
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/748f5d63-9018-48ce-a372-925eac316126%40apereo.org
>>
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/748f5d63-9018-48ce-a372-925eac316126%40apereo.org?utm_medium=email&utm_source=footer>
>> .
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/f8d7b972-42a3-46fc-b4e9-e3f283b14e6c%40apereo.org
>>
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/f8d7b972-42a3-46fc-b4e9-e3f283b14e6c%40apereo.org?utm_medium=email&utm_source=footer>
>> .
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/83f6f0e5-ba53-4c45-af43-033e651165df%40apereo.org
>>
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/83f6f0e5-ba53-4c45-af43-033e651165df%40apereo.org?utm_medium=email&utm_source=footer>
>> .
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c0c542ea-9fd0-44ea-8264-f6f8399cf099%40apereo.org
>>
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/c0c542ea-9fd0-44ea-8264-f6f8399cf099%40apereo.org?utm_medium=email&utm_source=footer>
>> .
>>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5a779f89-51e6-467f-ad96-03bde8022022%40apereo.org.
