A ST is (should be) validated only once and for only one service. Each service will go through the CAS dance passing in the TGT and service URL to receive its own ST. If a third application needs to authenticate to your API, look at proxying, https://apereo.github.io/cas/4.2.x/installation/Configuring-Proxy-Authentication.html
Ray On 2016-06-17 13:12, John Stevens II wrote: > Thank you, I've increased the service ticket timeout value and was > able to validate a ticket via /serviceValidate but I can only validate > the ticket once. > > If I am using the CAS Rest API to authenticate API's that we develop I > would want to verify that the service ticket is valid on every call to > our API's. How do I achieve this or is there another recommended way > to achieve this? > > I see the option /st.numOfUses /for service tickets but not sure if > unlimited is a valid option or if it's even recommended. > > On Friday, June 17, 2016 at 3:42:22 PM UTC-4, Misagh Moayyed wrote: > > /serviceValidate. > > > > *From:*[email protected] <javascript:> [mailto:[email protected] > <javascript:>] *On Behalf Of *John Stevens II > *Sent:* Friday, June 17, 2016 12:10 PM > *To:* CAS Community <[email protected] <javascript:>> > *Cc:* [email protected] <javascript:>; [email protected] > <javascript:> > *Subject:* Re: [cas-user] Rest API Service Ticket Validation Issue > > > > Ok that may work, is that the recommended way to verify service > tickets for the Rest API (Without using the php client) or should > I not be relying on the actual client? > > On Friday, June 17, 2016 at 2:49:08 PM UTC-4, Dmitriy Kopylenko wrote: > > By the time the /serviceValidate with ST is called, the ST > lifetime has expired (10 seconds default). Increase the ST TTL > on the CAS server to something longer, but reasonable and see > if it helps. > > > > Best, > > D. > > > > On Jun 17, 2016, at 2:44 PM, John Stevens II > <[email protected]> wrote: > > > > Need some insight on how to properly use the Rest API. > > > > I have a simple php application below castest.php: > > > > <?php > > > > require_once '/var/www/sites/CAS-1.3.4/CAS.php'; > > > > phpCAS::setDebug(); > > // Enable verbose error messages. Disable in production! > > phpCAS::setVerbose(true); > > // Initialize phpCAS > > phpCAS::client(CAS_VERSION_2_0, 'access.example.com > <http://access.example.com>', 443, '/cas'); > > > phpCAS::setNoCasServerValidation(); > > // force CAS authentication > > phpCAS::forceAuthentication(); > > > > echo "It worked"; > > ?> > > > Visiting the php page in the browser works with no > problem, I'm able to authenticate and access the content > with no problem. > > > > I can post to my post server rest url to get my TGT: > > > > Posting form data: > > username=Randomuser&password=Randompassword > > > > To: > > https://access.example.com/cas/v1/tickets > <https://access.example.com/cas/v1/tickets> > > > Data (TGT) returned is: > > > https://access.example.com/cas/v1/tickets/TGT-19-MKJRShaS2EebhGB3HHbZabi6O0I2KeSgWkXz3xGvKjamJgqi5M-cas2.example.com > > <https://access.example.com/cas/v1/tickets/TGT-19-MKJRShaS2EebhGB3HHbZabi6O0I2KeSgWkXz3xGvKjamJgqi5M-cas2.example.com> > > > Now I take my TGT url and post my service to get my ST: > > > > Posting form data: > > service=http%3A%2F%2Ftest.example.com > <http://2ftest.example.com>%2Fcastest.php > > > To: > > > https://access.example.com/cas/v1/tickets/TGT-19-MKJRShaS2EebhGB3HHbZabi6O0I2KeSgWkXz3xGvKjamJgqi5M-cas2.example.com > > <https://access.example.com/cas/v1/tickets/TGT-19-MKJRShaS2EebhGB3HHbZabi6O0I2KeSgWkXz3xGvKjamJgqi5M-cas2.example.com> > > > Data (ST) returned is: > > 0000: 53 54 2D 32 31 2D 79 47 59 69 57 6E 63 45 62 65 > | ST-21-yGYiWncEbe | > > 0010: 70 78 78 71 33 4B 6E 78 4F 52 2D 63 61 73 32 2E > | pxxq3KnxOR-cas2. | > > 0020: 69 6E 6D 61 72 2E 63 6F 6D > | example.com <http://example.com> | > > > > > All is good so far, I have my TGT and ST now I should be > able to access my castest.php site so I do a get request > on this url with my ticket as a parameter: > > > > Get: > > > http://test.example.com/castest.php?ticket=ST-21-yGYiWncEbepxxq3KnxOR-cas2.example.com > > <http://test.example.com/castest.php?ticket=ST-21-yGYiWncEbepxxq3KnxOR-cas2.example.com> > > > Error is returned: > > <html><head><title>CAS Authentication > failed!</title></head><body><h1>CAS Authentication > failed!</h1><p>You were not authenticated.</p><p>You may > submit your request again by clicking <a > href="http://test.example.com/castest.php > <http://test.example.com/castest.php>">here</a>.</p><p>If > the problem persists, you may contact <a > href="mailto:ro...@localhost";>the administrator of this > site</a>.</p><hr><address>phpCAS 1.3.4 using server <a > href="https://access.example.com/cas/ > <https://access.example.com/cas/>">https://access.example.com/cas/ > <https://access.example.com/cas/></a> (CAS > 2.0)</a></address></body></html><br /> > > <b>Fatal error</b>: Uncaught exception > 'CAS_AuthenticationException' in > /var/www/sites/vmbuild/CAS-1.3.4/CAS/Client.php:3234 > > Stack trace: > > #0 /var/www/sites/vmbuild/CAS-1.3.4/CAS/Client.php(1419): > CAS_Client->validateCAS20('https://access....', > '\n\n<cas:serviceR...', Object(DOMElement), false) > > #1 /var/www/sites/vmbuild/CAS-1.3.4/CAS.php(1127): > CAS_Client->isAuthenticated() > > #2 /var/www/sites/vmbuild/castest.php(21): > phpCAS::isAuthenticated() > > #3 {main} > > thrown in > <b>/var/www/sites/vmbuild/CAS-1.3.4/CAS/Client.php</b> on > line <b>3234</b><br /> > > > Other things i've tried were to use the validation url to > validate the ticket that way but it says the ticket is not > reconigzed: > > > > Get or Post: > > > https://access.example.com/cas/serviceValidate?service=http%3A%2F%2Ftest.example.com%2Fcastest.php&ticket=ST-21-yGYiWncEbepxxq3KnxOR-cas2.example.com > > <https://access.example.com/cas/serviceValidate?service=http%3A%2F%2Ftest.example.com%2Fcastest.php&ticket=ST-21-yGYiWncEbepxxq3KnxOR-cas2.example.com> > > > > Returned: > > <cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas > <http://www.yale.edu/tp/cas>"> > > <cas:authenticationFailure code="INVALID_TICKET"> > > Ticket 'ST-21-yGYiWncEbepxxq3KnxOR-cas2.example.com > <http://st-21-ygyiwncebepxxq3knxor-cas2.example.com>' not > recognized > > </cas:authenticationFailure> > > </cas:serviceResponse> > > > > Just need to validate service tickets with/for the REST > API any help would be appreciated. > > > > > > > > -- > You received this message because you are subscribed to > the Google Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails > from it, send an email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at > https://groups.google.com/a/apereo.org/group/cas-user/ > <https://groups.google.com/a/apereo.org/group/cas-user/>. > To view this discussion on the web visit > > https://groups.google.com/a/apereo.org/d/msgid/cas-user/f68da54d-dde3-4f88-8428-7ca9eff54d72%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/f68da54d-dde3-4f88-8428-7ca9eff54d72%40apereo.org?utm_medium=email&utm_source=footer>. > For more options, visit > https://groups.google.com/a/apereo.org/d/optout > <https://groups.google.com/a/apereo.org/d/optout>. > > > > -- > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected] <javascript:>. > To post to this group, send email to [email protected] <javascript:>. > Visit this group at > https://groups.google.com/a/apereo.org/group/cas-user/ > <https://groups.google.com/a/apereo.org/group/cas-user/>. > To view this discussion on the web visit > > https://groups.google.com/a/apereo.org/d/msgid/cas-user/daf30452-61dd-4187-9ebd-dfc17de37404%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/daf30452-61dd-4187-9ebd-dfc17de37404%40apereo.org?utm_medium=email&utm_source=footer>. > For more options, visit > https://groups.google.com/a/apereo.org/d/optout > <https://groups.google.com/a/apereo.org/d/optout>. > > -- > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] > <mailto:[email protected]>. > To post to this group, send email to [email protected] > <mailto:[email protected]>. > Visit this group at > https://groups.google.com/a/apereo.org/group/cas-user/. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/6019fd5b-6795-400e-9bc4-fbd4486f12e6%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/6019fd5b-6795-400e-9bc4-fbd4486f12e6%40apereo.org?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/a/apereo.org/d/optout. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9bb37f88-7467-dcf9-3782-2b9c55cb3ade%40uvic.ca. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
