Misagh, If the release date for version 5 is far off then I wouldn't mind doing the work, otherwise i'd wait. If so then a point in the right direction in respect to the changes that need to be made would be helpful.
Thanks On Tuesday, June 21, 2016 at 10:59:46 AM UTC-4, Misagh Moayyed wrote: > > It can be done. There are no plans to port this back, but if you’re > willing to do the work that’s perfectly fine. > > > > *From:* [email protected] <javascript:> [mailto:[email protected] > <javascript:>] *On Behalf Of *John Stevens II > *Sent:* Monday, June 20, 2016 2:21 PM > *To:* CAS Community <[email protected] <javascript:>> > *Cc:* [email protected] <javascript:> > *Subject:* Re: [cas-user] Rest API Service Ticket Validation Issue > > > > So I enabled oauth support but it looks like the user will be required to > login via the GUI. > > > > I do see in the development branch (CAS OAuth Dev Link > <https://apereo.github.io/cas/development/installation/OAuth-OpenId-Authentication.html>) > > for v5 that you can specify grant_type and use resource owner to return an > access token. > > > > Can this be done in v4? Would love to use this option. > > On Monday, June 20, 2016 at 10:55:33 AM UTC-4, Misagh Moayyed wrote: > > You’re thinking about this the right way; just not execution wise. You can > have an ST be valid multiple times of course as this is controlled by its > policy. However, what you’re really doing is treating an ST like an OAuth > access token, which it isn’t….or it’s not meant to be. Your better options > are to use proxying where you get a PGT, and you get PTs based on that PGT > you get. (The PGT becomes your access token). > > > > Or you just use the OAuth support...or some other form of non-interactive > AuthN. > > > > *From:* [email protected] [mailto:[email protected]] *On Behalf Of *John > Stevens II > *Sent:* Monday, June 20, 2016 7:04 AM > *To:* CAS Community <[email protected]> > *Cc:* [email protected] > *Subject:* Re: [cas-user] Rest API Service Ticket Validation Issue > > > > My thinking is if I have developers who build API's and want to integrate > CAS (not for sso but for centralized authentication) then a user who wants > to use the developers API would authenticate with CAS via the CAS Rest API, > possibly request an ST then use that ST to access the developers API on > every call to the developers API. I say every call (multiple times) because > you would need a way to verify that the user session is still valid right? > Otherwise you would have to authenticate the user on every call to the > developers API vs just verifying a ticket. Maybe i'm thinking about this > the wrong way? > > > > On Monday, June 20, 2016 at 9:23:38 AM UTC-4, Misagh Moayyed wrote: > > Why multiple times? What's the story there? > > --Misagh > > On Sun, Jun 19, 2016 at 2:29 PM, John Stevens II <[email protected]> > wrote: > > > > Well not necessarily a third application, all I really want to accomplish > here is to be able to authenticate a user via CAS rest api (which I can), > be a able validate that user via CAS rest api multiple times (which I > can't) and be able to log the user out via CAS rest api (which I can). > > > > Is proxying necessary for this functionality? > > On Friday, June 17, 2016 at 4:41:47 PM UTC-4, Ray Bon wrote: > > A ST is (should be) validated only once and for only one service. Each > service will go through the CAS dance passing in the TGT and service URL to > receive its own ST. > If a third application needs to authenticate to your API, look at > proxying, > https://apereo.github.io/cas/4.2.x/installation/Configuring-Proxy-Authentication.html > > Ray > > On 2016-06-17 13:12, John Stevens II wrote: > > Thank you, I've increased the service ticket timeout value and was able to > validate a ticket via /serviceValidate but I can only validate the ticket > once. > > > > If I am using the CAS Rest API to authenticate API's that we develop I > would want to verify that the service ticket is valid on every call to our > API's. How do I achieve this or is there another recommended way to achieve > this? > > > > I see the option *st.numOfUses *for service tickets but not sure if > unlimited is a valid option or if it's even recommended. > > On Friday, June 17, 2016 at 3:42:22 PM UTC-4, Misagh Moayyed wrote: > > /serviceValidate. > > *From:* [email protected] [mailto:[email protected]] *On Behalf Of *John > Stevens II > *Sent:* Friday, June 17, 2016 12:10 PM > *To:* CAS Community <[email protected]> > *Cc:* [email protected]; [email protected] > *Subject:* Re: [cas-user] Rest API Service Ticket Validation Issue > > Ok that may work, is that the recommended way to verify service tickets > for the Rest API (Without using the php client) or should I not be relying > on the actual client? > > On Friday, June 17, 2016 at 2:49:08 PM UTC-4, Dmitriy Kopylenko wrote: > > By the time the /serviceValidate with ST is called, the ST lifetime has > expired (10 seconds default). Increase the ST TTL on the CAS server to > something longer, but reasonable and see if it helps. > > Best, > > D. > > On Jun 17, 2016, at 2:44 PM, John Stevens II <[email protected]> wrote: > > Need some insight on how to properly use the Rest API. > > I have a simple php application below castest.php: > > <?php > > require_once '/var/www/sites/CAS-1.3.4/CAS.php'; > > phpCAS::setDebug(); > > // Enable verbose error messages. Disable in production! > > phpCAS::setVerbose(true); > > // Initialize phpCAS > > phpCAS::client(CAS_VERSION_2_0, 'access.example.com', 443, '/cas'); > > > phpCAS::setNoCasServerValidation(); > > // force CAS authentication > > phpCAS::forceAuthentication(); > > echo "It worked"; > > ?> > > > Visiting the php page in the browser works with no problem, I'm able to > authenticate and access the content with no problem. > > I can post to my post server rest url to get my TGT: > > Posting form data: > > username=Randomuser&password=Randompassword > > To: > > https://access.example.com/cas/v1/tickets > > > Data (TGT) returned is: > > https://access.example.com/cas/v1/tickets/ > TGT-19-MKJRShaS2EebhGB3HHbZabi6O0I2KeSgWkXz3xGvKjamJgqi5M-cas2.example.com > > > Now I take my TGT url and post my service to get my ST: > > Posting form data: > > service=http%3A%2F%2Ftest.example.com <http://2ftest.example.com> > %2Fcastest.php > > > To: > > https://access.example.com/cas/v1/tickets/ > TGT-19-MKJRShaS2EebhGB3HHbZabi6O0I2KeSgWkXz3xGvKjamJgqi5M-cas2.example.com > > > Data (ST) returned is: > > 0000: 53 54 2D 32 31 2D 79 47 59 69 57 6E 63 45 62 65 | ST-21-yGYiWncEbe | > > 0010: 70 78 78 71 33 4B 6E 78 4F 52 2D 63 61 73 32 2E | pxxq3KnxOR-cas2. | > > 0020: 69 6E 6D 61 72 2E 63 6F 6D | example.com | > > > All is good so far, I have my TGT and ST now I should be able to access my > castest.php site so I do a get request on this url with my ticket as a > parameter: > > Get: > > http://test.example.com/castest.php?ticket= > ST-21-yGYiWncEbepxxq3KnxOR-cas2.example.com > > > Error is returned: > > <html><head><title>CAS Authentication failed!</title></head><body><h1>CAS > Authentication failed!</h1><p>You were not authenticated.</p><p>You may > submit your request again by clicking <a > href="http://test.example.com/castest.php";>here</a>.</p><p>If > the problem persists, you may contact <a href="mailto:ro...@localhost";>the > administrator of this site</a>.</p><hr><address>phpCAS 1.3.4 using server > <a href="https://access.example.com/cas/";>https://access.example.com/cas/</a> > (CAS 2.0)</a></address></body></html><br /> > > <b>Fatal error</b>: Uncaught exception 'CAS_AuthenticationException' in > /var/www/sites/vmbuild/CAS-1.3.4/CAS/Client.php:3234 > > Stack trace: > > #0 /var/www/sites/vmbuild/CAS-1.3.4/CAS/Client.php(1419): > CAS_Client->validateCAS20('https://access....', > '\n\n<cas:serviceR...', Object(DOMElement), false) > > #1 /var/www/sites/vmbuild/CAS-1.3.4/CAS.php(1127): > CAS_Client->isAuthenticated() > > #2 /var/www/sites/vmbuild/castest.php(21): phpCAS::isAuthenticated() > > #3 {main} > > thrown in <b>/var/www/sites/vmbuild/CAS-1.3.4/CAS/Client.php</b> on line > <b>3234</b><br /> > > > Other things i've tried were to use the validation url to validate the > ticket that way but it says the ticket is not reconigzed: > > Get or Post: > > https://access.example.com/cas/serviceValidate?service=http%3A%2F% > 2Ftest.example.com%2Fcastest.php&ticket= > ST-21-yGYiWncEbepxxq3KnxOR-cas2.example.com > > Returned: > > <cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas";> > > <cas:authenticationFailure code="INVALID_TICKET"> > > Ticket 'ST-21-yGYiWncEbepxxq3KnxOR-cas2.example.com > <http://st-21-ygyiwncebepxxq3knxor-cas2.example.com>' not recognized > > </cas:authenticationFailure> > > </cas:serviceResponse> > > > > Just need to validate service tickets with/for the REST API any help would > be appreciated. > > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > . > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/f68da54d-dde3-4f88-8428-7ca9eff54d72%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/f68da54d-dde3-4f88-8428-7ca9eff54d72%40apereo.org?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/a/apereo.org/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > . > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/daf30452-61dd-4187-9ebd-dfc17de37404%40apereo.org > . > For more options, visit https://groups.google.com/a/apereo.org/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > . > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/6019fd5b-6795-400e-9bc4-fbd4486f12e6%40apereo.org > . > For more options, visit https://groups.google.com/a/apereo.org/d/optout. > > > > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > . > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/318d0846-f1b6-4155-8d86-ded2013d2391%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/318d0846-f1b6-4155-8d86-ded2013d2391%40apereo.org?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/a/apereo.org/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > . > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/d0560d02-aa00-47e0-929c-430f117cde0a%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/d0560d02-aa00-47e0-929c-430f117cde0a%40apereo.org?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/a/apereo.org/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To post to this group, send email to [email protected] <javascript:>. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > . > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/ff062091-e5fb-4c39-9bb9-f3c08c4830e7%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/ff062091-e5fb-4c39-9bb9-f3c08c4830e7%40apereo.org?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/a/apereo.org/d/optout. > -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/75332a10-7e0c-4878-84ec-98a877815389%40apereo.org. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
