I find the following setences in the documentation( https://apereo.github.io/cas/4.2.x/installation/Configuring-Proxy-Authentication.html ):
> If the callback URL is authorized by the service registry, and if the > endpoint is under HTTPS and protected by an SSL certificate, CAS will also > attempt to verify the validity of the endpoint’s certificate before it can > establish a successful connection.* If the certificate is invalid, > expired, missing a step in its chain, self-signed or otherwise, CAS will > fail to execute the callback.* If I didn't misunderstand this, so I have to ask my CAS server to register the proxy service for my CAS proxy implementation domain first? So this is the reason that I am unable to validate the ticket? Thank you again for your kind help, although my problem is still not solved yet but at least I know I am on the right track in figuring out what is going wrong in here. On Friday, 2 August 2019 15:05:22 UTC+8, Doug C wrote: > > Are you testing this on an internal server that isn’t accessible to the > CAS server? > > > > The following is in your debug log: > > > > The supplied proxy callback url 'MY_CLIENT_URL' could not be > authenticated. Either 'MY_CLIENT_URL' cannot be reached, it is not > allowed to exercise proxy authentication > > > > If your MY_CLIENT_URL is not accessible from the CAS server then it will > not be able to contact the callback server which in your scenario is the > same as your client URL. Either that or the CAS server does not have a > service registered for your service API that allows proxy authentication. > > > > > > *From:* [email protected] <javascript:> [mailto:[email protected] > <javascript:>] *On Behalf Of *Daniel Hui > *Sent:* Friday, August 2, 2019 2:55 PM > *To:* CAS Community <[email protected] <javascript:>> > *Subject:* Re: [cas-user] Newbie question, about CAS proxy and phpCAS > > > > side note, the CAS server is not operated by me, but I think it has the > proxy function provided > > On Friday, 2 August 2019 14:53:49 UTC+8, Daniel Hui wrote: > > sorry I made some mistakes in the previous reply, let me clarify what I > have found now: > > Now in the client side(example_proxy_GET.php) I am able to generate the > log for each access from the browser. > > And I found that when the client is trying to validate the service + > ticket, the CAS server response INVALID_PROXY_CALLBACK > > What will be the possible cause for this? > > Thank you VERY VERY MUCH to help me solve this issue, this problem has > been confusing me for a week. > > > > This is the log after 2nd login(first log in attempt is failed, then I > click refresh to renew a ticket): > > 1C47 .START (2019-08-02 14:39:33) phpCAS-1.3.7 ****************** > [CAS.php:475] > 1C47 .=> phpCAS::proxy('3.0', 'MY_CAS_SERVER', 443, '/cas') [index.php:8] > 1C47 .| => CAS_Client::__construct('3.0', true, 'MY_CAS_SERVER', 443, > '/cas', true) [CAS.php:410] > 1C47 .| | Starting a new session f9ac10f86d86edb204698c756da2059a > [Client.php:932] > 1C47 .| | Session is not authenticated [Client.php:938] > 1C47 .| | Ticket 'ST-2233404-pk47Ke1WYLFJ4tGiS0YswQZy3Nocas2' found > [Client.php:1015] > 1C47 .| <= '' > 1C47 .<= '' > 1C47 .=> phpCAS::setNoCasServerValidation() [index.php:9] > 1C47 .| You have configured no validation of the legitimacy of the cas > server. This is not recommended for production use. [CAS.php:1664] > 1C47 .<= '' > 1C47 .=> phpCAS::forceAuthentication() [index.php:11] > 1C47 .| => CAS_Client::forceAuthentication() [CAS.php:1120] > 1C47 .| | => CAS_Client::isAuthenticated() [Client.php:1275] > 1C47 .| | | => CAS_Client::_wasPreviouslyAuthenticated() [Client.php:1387] > 1C47 .| | | | neither user nor PGT found [Client.php:1606] > 1C47 .| | | <= false > 1C47 .| | | CAS 3.0 ticket `ST-2233404-pk47Ke1WYLFJ4tGiS0YswQZy3Nocas2' is > present [Client.php:1440] > 1C47 .| | | => CAS_Client::validateCAS20('', NULL, NULL, false) > [Client.php:1443] > 1C47 .| | | | [Client.php:3159] > 1C47 .| | | | => CAS_Client::getServerServiceValidateURL() > [Client.php:3165] > 1C47 .| | | | | => CAS_Client::getURL() [Client.php:453] > 1C47 .| | | | | | Final URI: MY_CLIENT_URL [Client.php:3528] > 1C47 .| | | | | <= 'https://MY_CLIENT/test/' > 1C47 .| | | | <= ' > https://MY_CAS_SERVER/cas/p3/serviceValidate?service=MY_CLIENT' > 1C47 .| | | | => CAS_Client::_readURL(' > https://MY_CAS_SERVER/cas/p3/serviceValidate?service=MY_CLIENT_URL&ticket=ST-2233404-pk47Ke1WYLFJ4tGiS0YswQZy3Nocas2&pgtUrl=MY_CLIENT', > > NULL, NULL, NULL) [Client.php:3180] > 1C47 .| | | | | => CAS_Request_CurlRequest::sendRequest() > [AbstractRequest.php:242] > 1C47 .| | | | | | Response Body: > 1C47 .| | | | | | <cas:serviceResponse xmlns:cas=' > http://www.yale.edu/tp/cas'> > 1C47 .| | | | | | <cas:authenticationFailure > code="INVALID_PROXY_CALLBACK">The supplied proxy callback url > 'MY_CLIENT_URL' could not be authenticated. Either > 'MY_CLIENT_URL' cannot be reached, it is not allowed to exercise > proxy authentication.</cas:authenticationFailure> > 1C47 .| | | | | | </cas:serviceResponse> > 1C47 .| | | | | | > 1C47 .| | | | | | [CurlRequest.php:84] > 1C47 .| | | | | <= true > 1C47 .| | | | <= true > 1C47 .| | | | => CAS_AuthenticationException::__construct(CAS_Client, > 'Ticket not validated', ' > https://MY_CAS_SERVER/cas/p3/serviceValidate?service=MY_CLIENT_URL&ticket=ST-2233404-pk47Ke1WYLFJ4tGiS0YswQZy3Nocas2&pgtUrl=MY_CLIENT_URL', > > false, false, '<cas:serviceResponse xmlns:cas=\' > http://www.yale.edu/tp/cas\'> <cas:authenticationFailure > code="INVALID_PROXY_CALLBACK">The supplied proxy callback url > 'MY_CLIENT_URL' could not be authenticated. Either > 'MY_CLIENT_URL' cannot be reached, it is not allowed to exercise > proxy authentication.</cas:authenticationFailure></cas:serviceResponse>', > 'INVALID_PROXY_CALLBACK', 'The supplied proxy callback url > \'MY_CLIENT_URL\' could not be authenticated. Either \'MY_CLIENT_URL\' > cannot be reached, it is not allowed to exercise proxy authentication.') > [Client.php:3226] > 1C47 .| | | | | => CAS_Client::getURL() [AuthenticationException.php:77] > 1C47 .| | | | | <= 'MY_CLIENT_URL' > 1C47 .| | | | | CAS URL: > https://MY_CAS_SERVER/cas/p3/serviceValidate?service=MY_CLIENT_URL&ticket=ST-2233404-pk47Ke1WYLFJ4tGiS0YswQZy3Nocas2&pgtUrl=MY_CLIENT_URL > > [AuthenticationException.php:80] > 1C47 .| | | | | Authentication failure: Ticket not validated > [AuthenticationException.php:81] > 1C47 .| | | | | Reason: [INVALID_PROXY_CALLBACK] CAS error: The supplied > proxy callback url 'MY_CLIENT_URL' could not be authenticated. Either > 'MY_CLIENT_URL/' cannot be reached, it is not allowed to exercise proxy > authentication. [AuthenticationException.php:97] > 1C47 .| | | | | CAS response: <cas:serviceResponse xmlns:cas=' > http://www.yale.edu/tp/cas'> > 1C47 .| | | | | <cas:authenticationFailure > code="INVALID_PROXY_CALLBACK">The supplied proxy callback url > 'MY_CLIENT_URL' could not be authenticated. Either > 'MY_CLIENT_URL' cannot be reached, it is not allowed to exercise > proxy authentication.</cas:authenticationFailure> > 1C47 .| | | | | </cas:serviceResponse> > 1C47 .| | | | | [AuthenticationException.php:102] > 1C47 .| | | | | exit() > 1C47 .| | | | | - > 1C47 .| | | | - > 1C47 .| | | - > > > On Friday, 2 August 2019 13:12:32 UTC+8, Doug C wrote: > > This is probably the same issue as the debug.log files. The web server > must have the ability to read/write the location where the proxy granting > tickets are stored. There is probably some indication of this in the > debug.log. > > > > OR > > > > Did you configure the CAS server to allow this service to proxy > authentication? See > https://apereo.github.io/cas/5.0.x/installation/Configuring-Service-Proxy-Policy.html > . > > > > > > *From:* [email protected] [mailto:[email protected]] *On Behalf Of *Daniel > Hui > *Sent:* Friday, August 2, 2019 11:31 AM > *To:* CAS Community <[email protected]> > *Subject:* Re: [cas-user] Newbie question, about CAS proxy and phpCAS > > > > I have checked the log by directly calling the > client(example_proxy_GET.php) > > And the problem is when the proxy trying to send the service URL to > register in the CAS server, the pgt is missing, any hints to solve this > problem? > > https://MY_CAS_SERVER/cas/proxy?targetService=MY_API_URL&pgt= > <https://cas.ust.hk/cas/proxy?targetService=https%3A%5C%2F%5C%2Flbnx28.ust.hk%3A8002%5C%2Fapi%5C%2F&pgt=> > > On Friday, 2 August 2019 11:24:23 UTC+8, Doug C wrote: > > Perhaps your web server doesn’t have write permissions to the location > your debug.log is being written. Usually it is a good idea to create a > subdirectory that gives such rights to the web server and then tell the > script to put the debug.log there. I think a simple work around for the > time being would be to change the permissions on the current debug.log file > to give the web server ownership of it. If the file doesn’t exist yet, > touch it, and then transfer ownership. > > > > *From:* [email protected] [mailto:[email protected]] *On Behalf Of *Daniel > Hui > *Sent:* Friday, August 2, 2019 11:18 AM > *To:* CAS Community <[email protected]> > *Subject:* Re: [cas-user] Newbie question, about CAS proxy and phpCAS > > > > example_simple.php script does run for me with CAS version 3.0. And the > debug info doesn't log the request if I am accessing using the URL, it only > logs the request if I run it directly using php in the console. Any hints? > Or do I need other things to set up properly? > > On Friday, 2 August 2019 11:14:12 UTC+8, Doug C wrote: > > Did you first get the example_simple.php script working? If not, do that > first. If you have I have often found that looking in the debug.log > informs me as to what is going wrong and would suggest you look there. > Also, I don’t think you mentioned which version of the CAS server you are > running. If you are running an older version of the CAS server, you may > not be running version 3.0 of the CAS protocol. > > > > *From:* [email protected] [mailto:[email protected]] *On Behalf Of *Daniel > Hui > *Sent:* Friday, August 2, 2019 11:10 AM > *To:* CAS Community <[email protected]> > *Subject:* Re: [cas-user] Newbie question, about CAS proxy and phpCAS > > > > Thanks for the advice, I am trying those scripts, but they are not > working, do I miss something? > > > > Here is my code, with some modifications for the original examples > > example_proxy_GET.php: > > <?php > require_once('../vendor/autoload.php'); > require_once('config.php'); > $filename = 'debug.log'; > phpCAS::setDebug($filename); > phpCAS::setVerbose(true); > phpCAS::proxy(CAS_VERSION_3_0, $cas_host, $cas_port, $cas_context); > phpCAS::setNoCasServerValidation(); > phpCAS::forceAuthentication(); //it shows me authentication fails at this > line of code > flush(); > try { > $service = phpCAS::getProxiedService(PHPCAS_PROXIED_SERVICE_HTTP_GET); > $service->setUrl("my_API_URL");//change it to my API URL to call the API > $service->send(); > if ($service->getResponseStatusCode() == 200) { > echo '<div class="success">'; > echo $service->getResponseBody(); > echo '</div>'; > } else { > echo '<div class="error">'; > echo 'The service responded with a ' > . $service->getResponseStatusCode() . ' error.'; > echo '</div>'; > } > } catch (CAS_ProxyTicketException $e) { > if ($e->getCode() == PHPCAS_SERVICE_PT_FAILURE) { > echo '<div class="error">'; > echo "Your login has timed out. You need to log in again."; > echo '</div>'; > } else { > throw $e; > } > } catch (CAS_ProxiedService_Exception $e) { > echo "test"; > throw $e; > } > ?> > </body> > </html> > > > > example_service.php:(if I just call this directly, it works) > > <?php > require_once '../test/config.php'; > require_once('../vendor/autoload.php'); > $filename = 'debug.log'; > echo "TEST">$filename; > phpCAS::setDebug($filename); > phpCAS::setVerbose(true); > phpCAS::client(CAS_VERSION_3_0, $cas_host, $cas_port, $cas_context); > //load from config > phpCAS::setNoCasServerValidation(); > phpCAS::forceAuthentication(); > //phpCAS::allowProxyChain(new CAS_ProxyChain_Any); //I have disabled this > because I do not need to chain this service to another service > echo '<p>The user\'s login is <b>' . phpCAS::getUser() . '</b>.</p>'; > // increment the number of requests of the session and print it > if (!isset($_SESSION['n'])) { > $_SESSION['n'] = 0; > } > echo '<p>request #' . (++$_SESSION['n']) . '</p>'; > ?> > > > > Thanks for your kind help and quick reply > > > On Friday, 2 August 2019 10:57:15 UTC+8, Doug C wrote: > > Daniel, > > > > I would recommend “getting your feet wet” first by working with the > example_simple.php script. Make sure to get this one working with your CAS > server first and then build from there by working with the > example_service.php which could act like your CAS protected API service and > example_proxy_GET.php which could act like the client wanting to access > your API. > > > > Doug > > > > *From:* [email protected] [mailto:[email protected]] *On Behalf Of *Daniel > Hui > *Sent:* Friday, August 2, 2019 10:50 AM > *To:* CAS Community <[email protected]> > *Subject:* Re: [cas-user] Newbie question, about CAS proxy and phpCAS > > > > Hi Doug, > > May I know which examples suit the use for me? One script for the API and > another one for the Proxy. Thanks. > > On Friday, 2 August 2019 10:47:02 UTC+8, Doug C wrote: > > Daniel, > > > > Have you taken a lot at the phpCAS examples at > https://github.com/apereo/phpCAS/tree/master/docs/examples? They are > really detailed with a lot of comments explaining what is happening and > even mentioning what things should be for testing and what should be > removed when deploying in a production environment. > > > > Doug > > > > *From:* [email protected] [mailto:[email protected]] *On Behalf Of *Daniel > Hui > *Sent:* Friday, August 2, 2019 10:01 AM > *To:* CAS Community <[email protected]> > *Subject:* [cas-user] Newbie question, about CAS proxy and phpCAS > > > > Hey guys, I am building an API that requires CAS authentication, and the > client which calls the API also needs the CAS authentication. After some > Googling, I find out the proxy function suits my use and I want to > implement it using phpCAS in my API and also build a simulate client to > test my API for CAS authentication. But I cannot find any pratical example > on the internet. May I get some help from you guys to show me some examples > to implement this? I need some kind of clear logic and clear codes to help > me understand this. I do not fully understand what is a CAS proxy, and what > can it do. > > > > > https://apereo.github.io/cas/5.0.x/installation/Configuring-Proxy-Authentication.html > > > > p.s.: I have CAS implementation experience before, which build a website > that supports CAS. > > > > Thanks for the help > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/17c31784-1dd3-43ac-8989-14df184e425f%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/17c31784-1dd3-43ac-8989-14df184e425f%40apereo.org?utm_medium=email&utm_source=footer> > . > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/748f5d63-9018-48ce-a372-925eac316126%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/748f5d63-9018-48ce-a372-925eac316126%40apereo.org?utm_medium=email&utm_source=footer> > . > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/f8d7b972-42a3-46fc-b4e9-e3f283b14e6c%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/f8d7b972-42a3-46fc-b4e9-e3f283b14e6c%40apereo.org?utm_medium=email&utm_source=footer> > . > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/83f6f0e5-ba53-4c45-af43-033e651165df%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/83f6f0e5-ba53-4c45-af43-033e651165df%40apereo.org?utm_medium=email&utm_source=footer> > . > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/c0c542ea-9fd0-44ea-8264-f6f8399cf099%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/c0c542ea-9fd0-44ea-8264-f6f8399cf099%40apereo.org?utm_medium=email&utm_source=footer> > . > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/5a779f89-51e6-467f-ad96-03bde8022022%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/5a779f89-51e6-467f-ad96-03bde8022022%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/97801e58-a6ec-49e7-a836-8335e693f7d5%40apereo.org.
