Hi, I'm using CAS server as SSO solution in my company. I'm upgrading it from v4.1.7 to v5.2.3 and have some issues with OAuth2.0 implementation.
1. SSOut does not work for web application which are authenticated via CAS server using OAuth2.0 Authorization Code Grant flow. The problem is that on CASified application side, class org.jasig.cas.client.session.SingleSignOutHandler.recordSession retrieves Authorization Code and stores connection between session and Authorization Code (sessionMappingStorage.addSessionById(token, session)) On CAS server side when SSOut request is sent to all authenticated applications it sends service ticket in SSOut request (Bask chanell SSOut request is used) not Authorization Code. org.jasig.cas.client.session.SingleSignOutFilter on CASified application detects SSOut request, extracts token (service ticket) from the request and tries to find session, which should be invalidated, which are related to the token. But there is no such session because all sessions are related to OAuth2 Authorization Code. Possible soolution would be: On CAS Server side, on OAuth2.0 Authorization Code Grant authentication, generated Authorization Code should be stored in TicketGrantingTicketImpl.services, the same way as it is done for service tickets. In this way, CAS LogoutManager will pull authorization codes and service tickets for TGT and sends SSOut request for all of them. 2. Exception handling of OAuth2.0 requests If incomplete/invalid OAuth2.0 request is sent e.g. without grant_type parameter of wrong value for grant_type https://host/cas/oauth2.0/accessToken?client_id=client1&[email protected]&password=x https://host/cas/oauth2.0/accessToken?grant_type=invalid&client_id=client1&[email protected]&password=x the response is: Status: 400 Bad Request Body: error=invalid_request There is no information what is wrong. In old version v4.1.7 the response contained information what is wrong. For instance, Google and Facebook also give information what is wrong with the request. Another problem is with my custom validation during authentication which is not propagated correctly in case of OAuth2.0 implementation. For example if user is disabled, my custom AuthenticationHandler throws an exception. In case of CAS Rest protocol, the exception is detected and transformed to specific HTTP Status code and error message e.g. Request: POST https://host/cas/v2/tickets [email protected] password=x Response: Status: 469 Body: User account is disabled In case of OAuth2.0 protocol https://lucas.c3d.com:8443/lucas/oauth2.0/accessToken?grant_type=password&client_id=client1&[email protected]&password=x Response: Status: 500 Internal Server Error Body: { "timestamp": 1524128050368, "status": 469, "error": "Http Status 469", "message": "No message available", "path": "/lucas/oauth2.0/accessToken" } The problem is that my custom status code is propagated in the response body not in the response status. It is not convenient to get status 500 Internal Server Error in this case. Error message also is not propagated but that is not big deal, the status code is important. Client should use the response status code to know what is wrong. To get my custom error code in OAuth2.0 response I overrode the class org.apereo.cas.support.oauth.authenticator.OAuthUserAuthenticator and modified exception catch part of code from : } catch (final Exception e) { throw new CredentialsException("Cannot login user using CAS internal authentication", e); } to: } catch (AuthenticationException e) { ErrorInfo error = handleError(e); return HttpAction.status(error.getErrorMessage(), error.getErrorCode(), context); } catch (final Exception e) { throw new CredentialsException("Cannot login user using CAS internal authentication", e); } Can you please help with this issues ? Did I do something wrong or should something be fixed in CAS ? Regards, Ivan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e5ee9585-06c1-42ae-a3db-64d11e9cbde9%40apereo.org.
