Are you testing this on an internal server that isn’t accessible to the CAS server?
The following is in your debug log: The supplied proxy callback url 'MY_CLIENT_URL' could not be authenticated. Either 'MY_CLIENT_URL' cannot be reached, it is not allowed to exercise proxy authentication If your MY_CLIENT_URL is not accessible from the CAS server then it will not be able to contact the callback server which in your scenario is the same as your client URL. Either that or the CAS server does not have a service registered for your service API that allows proxy authentication. From: [email protected] [mailto:[email protected]] On Behalf Of Daniel Hui Sent: Friday, August 2, 2019 2:55 PM To: CAS Community <[email protected]> Subject: Re: [cas-user] Newbie question, about CAS proxy and phpCAS side note, the CAS server is not operated by me, but I think it has the proxy function provided On Friday, 2 August 2019 14:53:49 UTC+8, Daniel Hui wrote: sorry I made some mistakes in the previous reply, let me clarify what I have found now: Now in the client side(example_proxy_GET.php) I am able to generate the log for each access from the browser. And I found that when the client is trying to validate the service + ticket, the CAS server response INVALID_PROXY_CALLBACK What will be the possible cause for this? Thank you VERY VERY MUCH to help me solve this issue, this problem has been confusing me for a week. This is the log after 2nd login(first log in attempt is failed, then I click refresh to renew a ticket): 1C47 .START (2019-08-02 14:39:33) phpCAS-1.3.7 ****************** [CAS.php:475] 1C47 .=> phpCAS::proxy('3.0', 'MY_CAS_SERVER', 443, '/cas') [index.php:8] 1C47 .| => CAS_Client::__construct('3.0', true, 'MY_CAS_SERVER', 443, '/cas', true) [CAS.php:410] 1C47 .| | Starting a new session f9ac10f86d86edb204698c756da2059a [Client.php:932] 1C47 .| | Session is not authenticated [Client.php:938] 1C47 .| | Ticket 'ST-2233404-pk47Ke1WYLFJ4tGiS0YswQZy3Nocas2' found [Client.php:1015] 1C47 .| <= '' 1C47 .<= '' 1C47 .=> phpCAS::setNoCasServerValidation() [index.php:9] 1C47 .| You have configured no validation of the legitimacy of the cas server. This is not recommended for production use. [CAS.php:1664] 1C47 .<= '' 1C47 .=> phpCAS::forceAuthentication() [index.php:11] 1C47 .| => CAS_Client::forceAuthentication() [CAS.php:1120] 1C47 .| | => CAS_Client::isAuthenticated() [Client.php:1275] 1C47 .| | | => CAS_Client::_wasPreviouslyAuthenticated() [Client.php:1387] 1C47 .| | | | neither user nor PGT found [Client.php:1606] 1C47 .| | | <= false 1C47 .| | | CAS 3.0 ticket `ST-2233404-pk47Ke1WYLFJ4tGiS0YswQZy3Nocas2' is present [Client.php:1440] 1C47 .| | | => CAS_Client::validateCAS20('', NULL, NULL, false) [Client.php:1443] 1C47 .| | | | [Client.php:3159] 1C47 .| | | | => CAS_Client::getServerServiceValidateURL() [Client.php:3165] 1C47 .| | | | | => CAS_Client::getURL() [Client.php:453] 1C47 .| | | | | | Final URI: MY_CLIENT_URL [Client.php:3528] 1C47 .| | | | | <= 'https://MY_CLIENT/test/' 1C47 .| | | | <= 'https://MY_CAS_SERVER/cas/p3/serviceValidate?service=MY_CLIENT' 1C47 .| | | | => CAS_Client::_readURL('https://MY_CAS_SERVER/cas/p3/serviceValidate?service=MY_CLIENT_URL <https://MY_CAS_SERVER/cas/p3/serviceValidate?service=MY_CLIENT_URL&ticket=ST-2233404-pk47Ke1WYLFJ4tGiS0YswQZy3Nocas2&pgtUrl=MY_CLIENT> &ticket=ST-2233404-pk47Ke1WYLFJ4tGiS0YswQZy3Nocas2&pgtUrl=MY_CLIENT', NULL, NULL, NULL) [Client.php:3180] 1C47 .| | | | | => CAS_Request_CurlRequest::sendRequest() [AbstractRequest.php:242] 1C47 .| | | | | | Response Body: 1C47 .| | | | | | <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> 1C47 .| | | | | | <cas:authenticationFailure code="INVALID_PROXY_CALLBACK">The supplied proxy callback url 'MY_CLIENT_URL' could not be authenticated. Either 'MY_CLIENT_URL' cannot be reached, it is not allowed to exercise proxy authentication.</cas:authenticationFailure> 1C47 .| | | | | | </cas:serviceResponse> 1C47 .| | | | | | 1C47 .| | | | | | [CurlRequest.php:84] 1C47 .| | | | | <= true 1C47 .| | | | <= true 1C47 .| | | | => CAS_AuthenticationException::__construct(CAS_Client, 'Ticket not validated', 'https://MY_CAS_SERVER/cas/p3/serviceValidate?service=MY_CLIENT_URL <https://MY_CAS_SERVER/cas/p3/serviceValidate?service=MY_CLIENT_URL&ticket=ST-2233404-pk47Ke1WYLFJ4tGiS0YswQZy3Nocas2&pgtUrl=MY_CLIENT_URL> &ticket=ST-2233404-pk47Ke1WYLFJ4tGiS0YswQZy3Nocas2&pgtUrl=MY_CLIENT_URL', false, false, '<cas:serviceResponse xmlns:cas=\'http://www.yale.edu/tp/cas\ <http://www.yale.edu/tp/cas%5C> '> <cas:authenticationFailure code="INVALID_PROXY_CALLBACK">The supplied proxy callback url 'MY_CLIENT_URL' could not be authenticated. Either 'MY_CLIENT_URL' cannot be reached, it is not allowed to exercise proxy authentication.</cas:authenticationFailure></cas:serviceResponse>', 'INVALID_PROXY_CALLBACK', 'The supplied proxy callback url \'MY_CLIENT_URL\' could not be authenticated. Either \'MY_CLIENT_URL\' cannot be reached, it is not allowed to exercise proxy authentication.') [Client.php:3226] 1C47 .| | | | | => CAS_Client::getURL() [AuthenticationException.php:77] 1C47 .| | | | | <= 'MY_CLIENT_URL' 1C47 .| | | | | CAS URL: https://MY_CAS_SERVER/cas/p3/serviceValidate?service=MY_CLIENT_URL <https://MY_CAS_SERVER/cas/p3/serviceValidate?service=MY_CLIENT_URL&ticket=ST-2233404-pk47Ke1WYLFJ4tGiS0YswQZy3Nocas2&pgtUrl=MY_CLIENT_URL> &ticket=ST-2233404-pk47Ke1WYLFJ4tGiS0YswQZy3Nocas2&pgtUrl=MY_CLIENT_URL [AuthenticationException.php:80] 1C47 .| | | | | Authentication failure: Ticket not validated [AuthenticationException.php:81] 1C47 .| | | | | Reason: [INVALID_PROXY_CALLBACK] CAS error: The supplied proxy callback url 'MY_CLIENT_URL' could not be authenticated. Either 'MY_CLIENT_URL/' cannot be reached, it is not allowed to exercise proxy authentication. [AuthenticationException.php:97] 1C47 .| | | | | CAS response: <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> 1C47 .| | | | | <cas:authenticationFailure code="INVALID_PROXY_CALLBACK">The supplied proxy callback url 'MY_CLIENT_URL' could not be authenticated. Either 'MY_CLIENT_URL' cannot be reached, it is not allowed to exercise proxy authentication.</cas:authenticationFailure> 1C47 .| | | | | </cas:serviceResponse> 1C47 .| | | | | [AuthenticationException.php:102] 1C47 .| | | | | exit() 1C47 .| | | | | - 1C47 .| | | | - 1C47 .| | | - On Friday, 2 August 2019 13:12:32 UTC+8, Doug C wrote: This is probably the same issue as the debug.log files. The web server must have the ability to read/write the location where the proxy granting tickets are stored. There is probably some indication of this in the debug.log. OR Did you configure the CAS server to allow this service to proxy authentication? See https://apereo.github.io/cas/5.0.x/installation/Configuring-Service-Proxy-Policy.html. From: [email protected] <mailto:[email protected]> [mailto:[email protected]] On Behalf Of Daniel Hui Sent: Friday, August 2, 2019 11:31 AM To: CAS Community <[email protected] <mailto:[email protected]> > Subject: Re: [cas-user] Newbie question, about CAS proxy and phpCAS I have checked the log by directly calling the client(example_proxy_GET.php) And the problem is when the proxy trying to send the service URL to register in the CAS server, the pgt is missing, any hints to solve this problem? https://MY_CAS_SERVER/cas/proxy?targetService=MY_API_URL <https://cas.ust.hk/cas/proxy?targetService=https%3A%5C%2F%5C%2Flbnx28.ust.hk%3A8002%5C%2Fapi%5C%2F&pgt=> &pgt= On Friday, 2 August 2019 11:24:23 UTC+8, Doug C wrote: Perhaps your web server doesn’t have write permissions to the location your debug.log is being written. Usually it is a good idea to create a subdirectory that gives such rights to the web server and then tell the script to put the debug.log there. I think a simple work around for the time being would be to change the permissions on the current debug.log file to give the web server ownership of it. If the file doesn’t exist yet, touch it, and then transfer ownership. From: [email protected] <mailto:[email protected]> [mailto:[email protected]] On Behalf Of Daniel Hui Sent: Friday, August 2, 2019 11:18 AM To: CAS Community <[email protected] <mailto:[email protected]> > Subject: Re: [cas-user] Newbie question, about CAS proxy and phpCAS example_simple.php script does run for me with CAS version 3.0. And the debug info doesn't log the request if I am accessing using the URL, it only logs the request if I run it directly using php in the console. Any hints? Or do I need other things to set up properly? On Friday, 2 August 2019 11:14:12 UTC+8, Doug C wrote: Did you first get the example_simple.php script working? If not, do that first. If you have I have often found that looking in the debug.log informs me as to what is going wrong and would suggest you look there. Also, I don’t think you mentioned which version of the CAS server you are running. If you are running an older version of the CAS server, you may not be running version 3.0 of the CAS protocol. From: [email protected] <mailto:[email protected]> [mailto:[email protected]] On Behalf Of Daniel Hui Sent: Friday, August 2, 2019 11:10 AM To: CAS Community <[email protected] <mailto:[email protected]> > Subject: Re: [cas-user] Newbie question, about CAS proxy and phpCAS Thanks for the advice, I am trying those scripts, but they are not working, do I miss something? Here is my code, with some modifications for the original examples example_proxy_GET.php: <?php require_once('../vendor/autoload.php'); require_once('config.php'); $filename = 'debug.log'; phpCAS::setDebug($filename); phpCAS::setVerbose(true); phpCAS::proxy(CAS_VERSION_3_0, $cas_host, $cas_port, $cas_context); phpCAS::setNoCasServerValidation(); phpCAS::forceAuthentication(); //it shows me authentication fails at this line of code flush(); try { $service = phpCAS::getProxiedService(PHPCAS_PROXIED_SERVICE_HTTP_GET); $service->setUrl("my_API_URL");//change it to my API URL to call the API $service->send(); if ($service->getResponseStatusCode() == 200) { echo '<div class="success">'; echo $service->getResponseBody(); echo '</div>'; } else { echo '<div class="error">'; echo 'The service responded with a ' . $service->getResponseStatusCode() . ' error.'; echo '</div>'; } } catch (CAS_ProxyTicketException $e) { if ($e->getCode() == PHPCAS_SERVICE_PT_FAILURE) { echo '<div class="error">'; echo "Your login has timed out. You need to log in again."; echo '</div>'; } else { throw $e; } } catch (CAS_ProxiedService_Exception $e) { echo "test"; throw $e; } ?> </body> </html> example_service.php:(if I just call this directly, it works) <?php require_once '../test/config.php'; require_once('../vendor/autoload.php'); $filename = 'debug.log'; echo "TEST">$filename; phpCAS::setDebug($filename); phpCAS::setVerbose(true); phpCAS::client(CAS_VERSION_3_0, $cas_host, $cas_port, $cas_context); //load from config phpCAS::setNoCasServerValidation(); phpCAS::forceAuthentication(); //phpCAS::allowProxyChain(new CAS_ProxyChain_Any); //I have disabled this because I do not need to chain this service to another service echo '<p>The user\'s login is <b>' . phpCAS::getUser() . '</b>.</p>'; // increment the number of requests of the session and print it if (!isset($_SESSION['n'])) { $_SESSION['n'] = 0; } echo '<p>request #' . (++$_SESSION['n']) . '</p>'; ?> Thanks for your kind help and quick reply On Friday, 2 August 2019 10:57:15 UTC+8, Doug C wrote: Daniel, I would recommend “getting your feet wet” first by working with the example_simple.php script. Make sure to get this one working with your CAS server first and then build from there by working with the example_service.php which could act like your CAS protected API service and example_proxy_GET.php which could act like the client wanting to access your API. Doug From: [email protected] <mailto:[email protected]> [mailto:[email protected]] On Behalf Of Daniel Hui Sent: Friday, August 2, 2019 10:50 AM To: CAS Community <[email protected] <mailto:[email protected]> > Subject: Re: [cas-user] Newbie question, about CAS proxy and phpCAS Hi Doug, May I know which examples suit the use for me? One script for the API and another one for the Proxy. Thanks. On Friday, 2 August 2019 10:47:02 UTC+8, Doug C wrote: Daniel, Have you taken a lot at the phpCAS examples at https://github.com/apereo/phpCAS/tree/master/docs/examples? They are really detailed with a lot of comments explaining what is happening and even mentioning what things should be for testing and what should be removed when deploying in a production environment. Doug From: [email protected] <mailto:[email protected]> [mailto:[email protected]] On Behalf Of Daniel Hui Sent: Friday, August 2, 2019 10:01 AM To: CAS Community <[email protected] <mailto:[email protected]> > Subject: [cas-user] Newbie question, about CAS proxy and phpCAS Hey guys, I am building an API that requires CAS authentication, and the client which calls the API also needs the CAS authentication. After some Googling, I find out the proxy function suits my use and I want to implement it using phpCAS in my API and also build a simulate client to test my API for CAS authentication. But I cannot find any pratical example on the internet. May I get some help from you guys to show me some examples to implement this? I need some kind of clear logic and clear codes to help me understand this. I do not fully understand what is a CAS proxy, and what can it do. https://apereo.github.io/cas/5.0.x/installation/Configuring-Proxy-Authentication.html p.s.: I have CAS implementation experience before, which build a website that supports CAS. Thanks for the help -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/17c31784-1dd3-43ac-8989-14df184e425f%40apereo.org <https://groups.google.com/a/apereo.org/d/msgid/cas-user/17c31784-1dd3-43ac-8989-14df184e425f%40apereo.org?utm_medium=email&utm_source=footer> . -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/748f5d63-9018-48ce-a372-925eac316126%40apereo.org <https://groups.google.com/a/apereo.org/d/msgid/cas-user/748f5d63-9018-48ce-a372-925eac316126%40apereo.org?utm_medium=email&utm_source=footer> . -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f8d7b972-42a3-46fc-b4e9-e3f283b14e6c%40apereo.org <https://groups.google.com/a/apereo.org/d/msgid/cas-user/f8d7b972-42a3-46fc-b4e9-e3f283b14e6c%40apereo.org?utm_medium=email&utm_source=footer> . -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/83f6f0e5-ba53-4c45-af43-033e651165df%40apereo.org <https://groups.google.com/a/apereo.org/d/msgid/cas-user/83f6f0e5-ba53-4c45-af43-033e651165df%40apereo.org?utm_medium=email&utm_source=footer> . -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c0c542ea-9fd0-44ea-8264-f6f8399cf099%40apereo.org <https://groups.google.com/a/apereo.org/d/msgid/cas-user/c0c542ea-9fd0-44ea-8264-f6f8399cf099%40apereo.org?utm_medium=email&utm_source=footer> . -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5a779f89-51e6-467f-ad96-03bde8022022%40apereo.org <https://groups.google.com/a/apereo.org/d/msgid/cas-user/5a779f89-51e6-467f-ad96-03bde8022022%40apereo.org?utm_medium=email&utm_source=footer> . -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/007e01d54900%24a3451960%24e9cf4c20%24%40gmail.com.
