I'm attempting to use OAuth with the optional service HTTP header
(X-service or service) using the "client_credentials" grant type with CAS
v6.0.
I have three simple services registered:
HTTP-100.json
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^(http|https)://.*",
"name" : "HTTP",
"id" : 100,
"description" : "This service definition authorizes all application urls
that support HTTP or HTTPS protocols.",
"evaluationOrder" : 10000
}
OAUTH_CLIENT-101.json
{
"@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
"clientId": "scdb_api_v1",
"clientSecret": "clientSecret11",
"name" : "OAUTH_CLIENT",
"id" : 101,
"serviceId" : "http://example.com/api/v1";,
"supportedGrantTypes": [ "java.util.HashSet", [ "client_credentials" ] ],
"jsonFormat":true
}
OAUTH_CLIENT-102.json
{
"@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
"clientId": "scdb_api_v2",
"clientSecret": "clientSecret22",
"name" : "OAUTH_CLIENT",
"id" : 102,
"serviceId" : "http://example.com/api/v2";,
"supportedGrantTypes": [ "java.util.HashSet", [ "client_credentials" ] ],
"jsonFormat":true
}
According to the documentation
<https://apereo.github.io/cas/6.0.x/installation/OAuth-OpenId-Authentication.html>:
"You may optionally also pass along a service or X-service header value
that identifies the target application url. The header value must match the
OAuth service definition in the registry that is linked to the client id."
When I execute the attached Python script I get results which do not
enforce that the X-service header match the defined serviceId, instead it
seems it simply must match ANY serviceId.
# TEST 1
Request access token for "X-service: http://example.com/api/v1";, with
credentials for API v1
Response status code: 200, data: {"access_token":
"AT-16-Yz-0nTnaoeDQLMledeZByMHht1T6cL-L","token_type":"bearer","expires_in":
28800,"scope":[]}
Request profile for token: AT-16-Yz-0nTnaoeDQLMledeZByMHht1T6cL-L
Response status code: 200: data: {"service":"http://example.com/api/v1";,
"attributes":{},"id":"scdb_api_v1","client_id":"scdb_api_v1"}
# TEST 2
Request access token for "X-service: http://example.com/api/v2";, but with
credentials for API v1
Response status code: 200, data: {"access_token":
"AT-17-PWxfLaWN4P1mxf5fKG3qamCSfxJEclsC","token_type":"bearer","expires_in":
28800,"scope":[]}
Request profile for token: AT-17-PWxfLaWN4P1mxf5fKG3qamCSfxJEclsC
Response status code: 200, data: {"service":"http://example.com/api/v2";,
"attributes":{},"id":"scdb_api_v1","client_id":"scdb_api_v2"}
# TEST 3
Request access token for "X-service: http://example.com/api/v3";, but with
credentials for API v1
Response status code: 200, data: {"access_token":
"AT-18-pba2h3sGLPfoVRw-HEqveQ-tplPBk9De","token_type":"bearer","expires_in":
28800,"scope":[]}
Request profile for token: AT-18-pba2h3sGLPfoVRw-HEqveQ-tplPBk9De
Response status code: 200, data: {"attributes":{},"id":"scdb_api_v1"}
As the results demonstrate I can use the credentials for one service to
authenticate for another service!
Perhaps I have misunderstood how the X-service header is meant to be used,
or how services are resolved.
But my expectation was that only TEST 1 would be able to successfully
authenticate.
Any insight into this matter would be greatly appreciated.
Thanks,
-Dylan
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a5bb8079-ada5-46df-a0b5-64e480311fdd%40apereo.org.
#!/usr/bin/env python3
#
# Example usage of CAS OAuth 2.0 for authentication.
#
import sys
import json
import uuid
from datetime import date
from pprint import pprint
from getpass import getpass
import requests
CAS_BASE_URL = 'https://10.0.8.194:8443/cas'
# HTTP-100.json
# {
# "@class" : "org.apereo.cas.services.RegexRegisteredService",
# "serviceId" : "^(http|https)://.*",
# "name" : "HTTP",
# "id" : 100,
# "description" : "This service definition authorizes all application urls that support HTTP or HTTPS protocols.",
# "evaluationOrder" : 10000
# }
# OAUTH_CLIENT-101.json
# {
# "@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
# "clientId": "scdb_api_v1",
# "clientSecret": "clientSecret11",
# "name" : "OAUTH_CLIENT",
# "id" : 101,
# "serviceId" : "http://example.com/api/v1";,
# "supportedGrantTypes": [ "java.util.HashSet", [ "client_credentials" ] ],
# "jsonFormat":true
# }
# OAUTH_CLIENT-102
# {
# "@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
# "clientId": "scdb_api_v2",
# "clientSecret": "clientSecret22",
# "name" : "OAUTH_CLIENT",
# "id" : 102,
# "serviceId" : "http://example.com/api/v2";,
# "supportedGrantTypes": [ "java.util.HashSet", [ "client_credentials" ] ],
# "jsonFormat":true
# }
# Test #1
print('Request access token for "X-service: http://example.com/api/v1";, with credentials for API v1')
res = requests.post(CAS_BASE_URL + '/oauth2.0/accessToken', verify=False,
headers={
'Accept':'application/json',
'X-service': 'http://example.com/api/v1'
},
data={
'grant_type':'client_credentials',
'client_id':'scdb_api_v1',
'client_secret': 'clientSecret11',
}
)
print('Response status code:', res.status_code)
print(res.text)
print()
if res.status_code != 200:
sys.exit(1)
data = res.json()
print('Request profile for token:', data['access_token'])
res = requests.get(CAS_BASE_URL + '/oauth2.0/profile', verify=False, headers={
'Accept':'application/json',
},
params={
'access_token' : data['access_token']
}
)
print('Response status code:', res.status_code)
print(res.text)
print()
if res.status_code != 200:
sys.exit(1)
# Test #2
print('Request access token for "X-service: http://example.com/api/v2";, but with credentials for API v1')
res = requests.post(CAS_BASE_URL + '/oauth2.0/accessToken', verify=False,
headers={
'Accept':'application/json',
'X-service': 'http://example.com/api/v2'
},
data={
'grant_type':'client_credentials',
'client_id':'scdb_api_v1',
'client_secret': 'clientSecret11',
}
)
print('Response status code:', res.status_code)
print(res.text)
print()
if res.status_code != 200:
sys.exit(1)
data = res.json()
print('Request profile for token:', data['access_token'])
res = requests.get(CAS_BASE_URL + '/oauth2.0/profile', verify=False, headers={
'Accept':'application/json',
},
params={
'access_token' : data['access_token']
}
)
print('Response status code:', res.status_code)
print(res.text)
print()
if res.status_code != 200:
sys.exit(1)
# Test #3
print('Request access token for "X-service: http://example.com/api/v3";, but with credentials for API v1')
res = requests.post(CAS_BASE_URL + '/oauth2.0/accessToken', verify=False,
headers={
'Accept':'application/json',
'X-service': 'http://example.com/api/v3'
},
data={
'grant_type':'client_credentials',
'client_id':'scdb_api_v1',
'client_secret': 'clientSecret11',
}
)
print('Response status code:', res.status_code)
print(res.text)
print()
if res.status_code != 200:
sys.exit(1)
data = res.json()
print('Request profile for token:', data['access_token'])
res = requests.get(CAS_BASE_URL + '/oauth2.0/profile', verify=False, headers={
'Accept':'application/json',
},
params={
'access_token' : data['access_token']
}
)
print('Response status code:', res.status_code)
print(res.text)
print()
if res.status_code != 200:
sys.exit(1)
