Just want to add on top what Misagh said - the REST support in CAS is very limited to producing just TGTs and STs. IMHO, for service-to-service “non human interactive” authentication support (REST services for example) some protocol other than CAS protocol is more appropriate e.g. OAuth (as Misagh mentioned it already).
Best, D. > On Jun 20, 2016, at 10:55 AM, Misagh Moayyed <[email protected]> wrote: > > You’re thinking about this the right way; just not execution wise. You can > have an ST be valid multiple times of course as this is controlled by its > policy. However, what you’re really doing is treating an ST like an OAuth > access token, which it isn’t….or it’s not meant to be. Your better options > are to use proxying where you get a PGT, and you get PTs based on that PGT > you get. (The PGT becomes your access token). > > Or you just use the OAuth support...or some other form of non-interactive > AuthN. > > From: [email protected] <mailto:[email protected]> > [mailto:[email protected] <mailto:[email protected]>] On Behalf Of John > Stevens II > Sent: Monday, June 20, 2016 7:04 AM > To: CAS Community <[email protected] <mailto:[email protected]>> > Cc: [email protected] <mailto:[email protected]> > Subject: Re: [cas-user] Rest API Service Ticket Validation Issue > > My thinking is if I have developers who build API's and want to integrate CAS > (not for sso but for centralized authentication) then a user who wants to use > the developers API would authenticate with CAS via the CAS Rest API, possibly > request an ST then use that ST to access the developers API on every call to > the developers API. I say every call (multiple times) because you would need > a way to verify that the user session is still valid right? Otherwise you > would have to authenticate the user on every call to the developers API vs > just verifying a ticket. Maybe i'm thinking about this the wrong way? > > On Monday, June 20, 2016 at 9:23:38 AM UTC-4, Misagh Moayyed wrote: >> Why multiple times? What's the story there? >> >> --Misagh >> On Sun, Jun 19, 2016 at 2:29 PM, John Stevens II <jstev...@ <>gmail.com >> <http://gmail.com/>> wrote: >> >>> Well not necessarily a third application, all I really want to accomplish >>> here is to be able to authenticate a user via CAS rest api (which I can), >>> be a able validate that user via CAS rest api multiple times (which I >>> can't) and be able to log the user out via CAS rest api (which I can). >>> >>> Is proxying necessary for this functionality? >>> >>> On Friday, June 17, 2016 at 4:41:47 PM UTC-4, Ray Bon wrote: >>>> A ST is (should be) validated only once and for only one service. Each >>>> service will go through the CAS dance passing in the TGT and service URL >>>> to receive its own ST. >>>> If a third application needs to authenticate to your API, look at >>>> proxying, >>>> https://apereo.github.io/cas/4.2.x/installation/Configuring-Proxy-Authentication.html >>>> >>>> <https://apereo.github.io/cas/4.2.x/installation/Configuring-Proxy-Authentication.html> >>>> >>>> Ray >>>> >>>> On 2016-06-17 13:12, John Stevens II wrote: >>>>> Thank you, I've increased the service ticket timeout value and was able >>>>> to validate a ticket via /serviceValidate but I can only validate the >>>>> ticket once. >>>>> >>>>> If I am using the CAS Rest API to authenticate API's that we develop I >>>>> would want to verify that the service ticket is valid on every call to >>>>> our API's. How do I achieve this or is there another recommended way to >>>>> achieve this? >>>>> >>>>> I see the option st.numOfUses for service tickets but not sure if >>>>> unlimited is a valid option or if it's even recommended. >>>>> >>>>> On Friday, June 17, 2016 at 3:42:22 PM UTC-4, Misagh Moayyed wrote: >>>>>> /serviceValidate. >>>>>> From: [email protected] <mailto:[email protected]> >>>>>> [mailto:[email protected] <mailto:[email protected]>] On Behalf Of >>>>>> John Stevens II >>>>>> Sent: Friday, June 17, 2016 12:10 PM >>>>>> To: CAS Community <[email protected] <mailto:[email protected]>> >>>>>> Cc: [email protected] <mailto:[email protected]>; [email protected] >>>>>> <mailto:[email protected]> >>>>>> Subject: Re: [cas-user] Rest API Service Ticket Validation Issue >>>>>> Ok that may work, is that the recommended way to verify service tickets >>>>>> for the Rest API (Without using the php client) or should I not be >>>>>> relying on the actual client? >>>>>> >>>>>> On Friday, June 17, 2016 at 2:49:08 PM UTC-4, Dmitriy Kopylenko wrote: >>>>>>> By the time the /serviceValidate with ST is called, the ST lifetime has >>>>>>> expired (10 seconds default). Increase the ST TTL on the CAS server to >>>>>>> something longer, but reasonable and see if it helps. >>>>>>> Best, >>>>>>> D. >>>>>>>> On Jun 17, 2016, at 2:44 PM, John Stevens II <[email protected] >>>>>>>> <mailto:[email protected]>> wrote: >>>>>>>> Need some insight on how to properly use the Rest API. >>>>>>>> I have a simple php application below castest.php: >>>>>>>> <?php >>>>>>>> require_once '/var/www/sites/CAS-1.3.4/CAS.php'; >>>>>>>> phpCAS::setDebug(); >>>>>>>> // Enable verbose error messages. Disable in production! >>>>>>>> phpCAS::setVerbose(true); >>>>>>>> // Initialize phpCAS >>>>>>>> phpCAS::client(CAS_VERSION_2_0, 'access.example.com >>>>>>>> <http://access.example.com/>', 443, '/cas'); >>>>>>>> >>>>>>>> phpCAS::setNoCasServerValidation(); >>>>>>>> // force CAS authentication >>>>>>>> phpCAS::forceAuthentication(); >>>>>>>> echo "It worked"; >>>>>>>> ?> >>>>>>>> >>>>>>>> Visiting the php page in the browser works with no problem, I'm able >>>>>>>> to authenticate and access the content with no problem. >>>>>>>> I can post to my post server rest url to get my TGT: >>>>>>>> Posting form data: >>>>>>>> username=Randomuser&password=Randompassword >>>>>>>> To: >>>>>>>> https://access.example.com/ <https://access.example.com/>cas/v1/tickets >>>>>>>> >>>>>>>> Data (TGT) returned is: >>>>>>>> https://access.example.com/ >>>>>>>> <https://access.example.com/>cas/v1/tickets/TGT-19-MKJRShaS2EebhGB3HHbZabi6O0I2KeSgWkXz3xGvKjamJgqi5M-cas2.example.com >>>>>>>> >>>>>>>> <http://tgt-19-mkjrshas2eebhgb3hhbzabi6o0i2kesgwkxz3xgvkjamjgqi5m-cas2.example.com/> >>>>>>>> >>>>>>>> Now I take my TGT url and post my service to get my ST: >>>>>>>> Posting form data: >>>>>>>> service=http%3A%2F%2Ftest.example.com >>>>>>>> <http://2ftest.example.com/>%2Fcastest.php >>>>>>>> >>>>>>>> To: >>>>>>>> https://access.example.com/ >>>>>>>> <https://access.example.com/>cas/v1/tickets/TGT-19-MKJRShaS2EebhGB3HHbZabi6O0I2KeSgWkXz3xGvKjamJgqi5M-cas2.example.com >>>>>>>> >>>>>>>> <http://tgt-19-mkjrshas2eebhgb3hhbzabi6o0i2kesgwkxz3xgvkjamjgqi5m-cas2.example.com/> >>>>>>>> >>>>>>>> Data (ST) returned is: >>>>>>>> 0000: 53 54 2D 32 31 2D 79 47 59 69 57 6E 63 45 62 65 | >>>>>>>> ST-21-yGYiWncEbe | >>>>>>>> 0010: 70 78 78 71 33 4B 6E 78 4F 52 2D 63 61 73 32 2E | >>>>>>>> pxxq3KnxOR-cas2. | >>>>>>>> 0020: 69 6E 6D 61 72 2E 63 6F 6D | example.com <http://example.com/> | >>>>>>>> >>>>>>>> All is good so far, I have my TGT and ST now I should be able to >>>>>>>> access my castest.php site so I do a get request on this url with my >>>>>>>> ticket as a parameter: >>>>>>>> Get: >>>>>>>> http://test.example.com/ >>>>>>>> <http://test.example.com/>castest.php?ticket=ST-21-yGYiWncEbepxxq3KnxOR-cas2.example.com >>>>>>>> <http://st-21-ygyiwncebepxxq3knxor-cas2.example.com/> >>>>>>>> >>>>>>>> Error is returned: >>>>>>>> <html><head><title>CAS Authentication >>>>>>>> failed!</title></head><body><h1>CAS Authentication failed!</h1><p>You >>>>>>>> were not authenticated.</p><p>You may submit your request again by >>>>>>>> clicking <a href="http://test.example.com/ >>>>>>>> <http://test.example.com/>castest.php">here</a>.</p><p>If the problem >>>>>>>> persists, you may contact <a href="mailto:ro...@localhost >>>>>>>> <mailto:ro...@localhost>">the administrator of this >>>>>>>> site</a>.</p><hr><address>phpCAS 1.3.4 using server <a >>>>>>>> href="https://access.example >>>>>>>> <https://access.example/>.com/cas/">https://access >>>>>>>> <https://access/>.example.com/cas/ <http://example.com/cas/></a> (CAS >>>>>>>> 2.0)</a></address></body></html><br /> >>>>>>>> <b>Fatal error</b>: Uncaught exception 'CAS_AuthenticationException' >>>>>>>> in /var/www/sites/vmbuild/CAS-1.3.4/CAS/Client.php:3234 >>>>>>>> Stack trace: >>>>>>>> #0 /var/www/sites/vmbuild/CAS-1.3.4/CAS/Client.php(1419): >>>>>>>> CAS_Client->validateCAS20('https://access <https://access/>....', >>>>>>>> '\n\n<cas:serviceR...', Object(DOMElement), false) >>>>>>>> #1 /var/www/sites/vmbuild/CAS-1.3.4/CAS.php(1127): >>>>>>>> CAS_Client->isAuthenticated() >>>>>>>> #2 /var/www/sites/vmbuild/castest.php(21): phpCAS::isAuthenticated() >>>>>>>> #3 {main} >>>>>>>> thrown in <b>/var/www/sites/vmbuild/CAS-1.3.4/CAS/Client.php</b> on >>>>>>>> line <b>3234</b><br /> >>>>>>>> >>>>>>>> Other things i've tried were to use the validation url to validate the >>>>>>>> ticket that way but it says the ticket is not reconigzed: >>>>>>>> Get or Post: >>>>>>>> https://access.example.com/ >>>>>>>> <https://access.example.com/>cas/serviceValidate?service=http%3A%2F%2Ftest.example.com >>>>>>>> >>>>>>>> <http://2ftest.example.com/>%2Fcastest.php&ticket=ST-21-yGYiWncEbepxxq3KnxOR-cas2.example.com >>>>>>>> <http://st-21-ygyiwncebepxxq3knxor-cas2.example.com/> >>>>>>>> Returned: >>>>>>>> <cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/ >>>>>>>> <http://www.yale.edu/tp/>cas"> >>>>>>>> <cas:authenticationFailure code="INVALID_TICKET"> >>>>>>>> Ticket 'ST-21-yGYiWncEbepxxq3KnxOR-cas2.example.com >>>>>>>> <http://st-21-ygyiwncebepxxq3knxor-cas2.example.com/>' not recognized >>>>>>>> </cas:authenticationFailure> >>>>>>>> </cas:serviceResponse> >>>>>>>> >>>>>>>> >>>>>>>> Just need to validate service tickets with/for the REST API any help >>>>>>>> would be appreciated. >>>>>>>> >>>>>>>> -- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "CAS Community" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>>>>> an email to [email protected] <mailto:[email protected]>. >>>>>>>> To post to this group, send email to [email protected] >>>>>>>> <mailto:[email protected]>. >>>>>>>> Visit this group at https://groups.google.com/a/ >>>>>>>> <https://groups.google.com/a/>apereo.org/group/cas-user/ >>>>>>>> <http://apereo.org/group/cas-user/>. >>>>>>>> To view this discussion on the web visit >>>>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/f68da54d-dde3-4f88-8428-7ca9eff54d72%40apereo.org >>>>>>>> >>>>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/f68da54d-dde3-4f88-8428-7ca9eff54d72%40apereo.org?utm_medium=email&utm_source=footer>. >>>>>>>> For more options, visit https://groups.google.com/a/ >>>>>>>> <https://groups.google.com/a/>apereo.org/d/optout >>>>>>>> <http://apereo.org/d/optout>. >>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "CAS Community" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>>> an email to [email protected] <mailto:[email protected]>. >>>>>> To post to this group, send email to [email protected] >>>>>> <mailto:[email protected]>. >>>>>> Visit this group at >>>>>> https://groups.google.com/a/apereo.org/group/cas-user/ >>>>>> <https://groups.google.com/a/apereo.org/group/cas-user/>. >>>>>> To view this discussion on the web visit https://groups.google.com/a/ >>>>>> <https://groups.google.com/a/>apereo.org/d/msgid/cas-user/daf30452-61dd-4187-9ebd-dfc17de37404%40apereo.org >>>>>> >>>>>> <http://apereo.org/d/msgid/cas-user/daf30452-61dd-4187-9ebd-dfc17de37404%40apereo.org>. >>>>>> For more options, visit https://groups.google.com/a/apereo.org/d/optout >>>>>> <https://groups.google.com/a/apereo.org/d/optout>. >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google Groups >>>>> "CAS Community" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send an >>>>> email to [email protected] <mailto:[email protected]>. >>>>> To post to this group, send email to [email protected] >>>>> <mailto:[email protected]>. >>>>> Visit this group at >>>>> https://groups.google.com/a/apereo.org/group/cas-user/ >>>>> <https://groups.google.com/a/apereo.org/group/cas-user/>. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6019fd5b-6795-400e-9bc4-fbd4486f12e6%40apereo.org >>>>> >>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/6019fd5b-6795-400e-9bc4-fbd4486f12e6%40apereo.org>. >>>>> For more options, visit https://groups.google.com/a/apereo.org/d/optout >>>>> <https://groups.google.com/a/apereo.org/d/optout>. >>>> >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to cas-user+u...@ <>apereo.org <http://apereo.org/>. >>> To post to this group, send email to cas-...@ <>apereo.org >>> <http://apereo.org/>. >>> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ >>> <https://groups.google.com/a/apereo.org/group/cas-user/>. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/318d0846-f1b6-4155-8d86-ded2013d2391%40apereo.org >>> >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/318d0846-f1b6-4155-8d86-ded2013d2391%40apereo.org?utm_medium=email&utm_source=footer>. >>> For more options, visit https://groups.google.com/a/apereo.org/d/optout >>> <https://groups.google.com/a/apereo.org/d/optout>. > > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <mailto:[email protected]>. > To post to this group, send email to [email protected] > <mailto:[email protected]>. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > <https://groups.google.com/a/apereo.org/group/cas-user/>. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/d0560d02-aa00-47e0-929c-430f117cde0a%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/d0560d02-aa00-47e0-929c-430f117cde0a%40apereo.org?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/a/apereo.org/d/optout > <https://groups.google.com/a/apereo.org/d/optout>. > > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <mailto:[email protected]>. > To post to this group, send email to [email protected] > <mailto:[email protected]>. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > <https://groups.google.com/a/apereo.org/group/cas-user/>. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/005101d1cb03%24c738bda0%2455aa38e0%24%40unicon.net > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/005101d1cb03%24c738bda0%2455aa38e0%24%40unicon.net?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/a/apereo.org/d/optout > <https://groups.google.com/a/apereo.org/d/optout>. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/3F33CE98-2607-4E30-B0D3-C2E999E7E94F%40unicon.net. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
